Re: [openssl-users] cipher suite ECDH-ECDSA-AES128-SHA256
Bonjour, Hodie VIII Kal. Iun. MMXI, shoutee scripsit: I want to run a TLS Server with support of cipher suite 'ECDH-ECDSA-AES128-SHA256' (RFC 5289). Unfortunately I can't find these cipher suite within tls1.h. ECDSA is only available with SHA1. Since openssl supports SHA256 I thought that ECDSA with SHA256 should be available, or am I missing something? I'm using openssl-1.0.0d. The ciphersuites defined in RFC5289 apply to TLS1.2 only. OpenSSL doesn't support (yet) TLS1.2. If your next question is when will OpenSSL support TLS1.2?, you'll find the answer in the archives, as it has been asked quite some times. -- Erwann ABALEA erwann.aba...@keynectis.com Département RD KEYNECTIS - Architect: Someone who knows the difference between that which could be done and that which should be done. Larry McVoy __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] cipher suite ECDH-ECDSA-AES128-SHA256
On Wed, May 25, 2011, Erwann ABALEA wrote: Bonjour, Hodie VIII Kal. Iun. MMXI, shoutee scripsit: I want to run a TLS Server with support of cipher suite 'ECDH-ECDSA-AES128-SHA256' (RFC 5289). Unfortunately I can't find these cipher suite within tls1.h. ECDSA is only available with SHA1. Since openssl supports SHA256 I thought that ECDSA with SHA256 should be available, or am I missing something? I'm using openssl-1.0.0d. The ciphersuites defined in RFC5289 apply to TLS1.2 only. OpenSSL doesn't support (yet) TLS1.2. If your next question is when will OpenSSL support TLS1.2?, you'll find the answer in the archives, as it has been asked quite some times. The answer however has changed: experimental TLS v1.2 code is present in HEAD and the 1.0.1 stable branch. The code hasn't been fully tested yet so some bugs may remain. There are some known interop problems with some ECC ciphersuites: that is OpenSSL can connect to some servers but not others. At this point it isn't clear if the problem is with the servers or OpenSSL. If anyone knows of any public servers supporting TLS v1.2 I'd be interested in some interop testing. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] cipher suite ECDH-ECDSA-AES128-SHA256
Bonjour, Hodie VIII Kal. Iun. MMXI, Dr. Stephen Henson scripsit: On Wed, May 25, 2011, Erwann ABALEA wrote: Hodie VIII Kal. Iun. MMXI, shoutee scripsit: I want to run a TLS Server with support of cipher suite 'ECDH-ECDSA-AES128-SHA256' (RFC 5289). Unfortunately I can't find these cipher suite within tls1.h. ECDSA is only available with SHA1. Since openssl supports SHA256 I thought that ECDSA with SHA256 should be available, or am I missing something? I'm using openssl-1.0.0d. The ciphersuites defined in RFC5289 apply to TLS1.2 only. OpenSSL doesn't support (yet) TLS1.2. If your next question is when will OpenSSL support TLS1.2?, you'll find the answer in the archives, as it has been asked quite some times. The answer however has changed: experimental TLS v1.2 code is present in HEAD and the 1.0.1 stable branch. The code hasn't been fully tested yet so some I forgot that, it was mentioned once recently, you're right. Was that work funded, or did some developer dedicate some spare time for this? If anyone knows of any public servers supporting TLS v1.2 I'd be interested in some interop testing. If you can install a recent IIS, you'll have TLS1.2. Recent versions of GNUTLS also support TLS1.2. IE9 (probably on Windows 7) also supports TLS1.2, if you want to test the server part. -- Erwann ABALEA erwann.aba...@keynectis.com Département RD KEYNECTIS - Stupidity has no limits, genius does. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] cipher suite ECDH-ECDSA-AES128-SHA256
On Wed, 25 May 2011 12:21:04 +0200 Dr. Stephen Henson st...@openssl.org wrote: On Wed, May 25, 2011, Erwann ABALEA wrote: Bonjour, Hodie VIII Kal. Iun. MMXI, shoutee scripsit: I want to run a TLS Server with support of cipher suite 'ECDH-ECDSA-AES128-SHA256' (RFC 5289). Unfortunately I can't find these cipher suite within tls1.h. ECDSA is only available with SHA1. Since openssl supports SHA256 I thought that ECDSA with SHA256 should be available, or am I missing something? I'm using openssl-1.0.0d. The ciphersuites defined in RFC5289 apply to TLS1.2 only. OpenSSL doesn't support (yet) TLS1.2. If your next question is when will OpenSSL support TLS1.2?, you'll find the answer in the archives, as it has been asked quite some times. The answer however has changed: experimental TLS v1.2 code is present in HEAD and the 1.0.1 stable branch. The code hasn't been fully tested yet so some bugs may remain. There are some known interop problems with some ECC ciphersuites: that is OpenSSL can connect to some servers but not others. At this point it isn't clear if the problem is with the servers or OpenSSL. If anyone knows of any public servers supporting TLS v1.2 I'd be interested in some interop testing. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org Only server I know is http://ecc.fedora.redhat.com Markus __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] cipher suite ECDH-ECDSA-AES128-SHA256
The answer however has changed: experimental TLS v1.2 code is present in HEAD and the 1.0.1 stable branch. The code hasn't been fully tested yet so some bugs may remain. There are some known interop problems with some ECC ciphersuites: that is OpenSSL can connect to some servers but not others. At this point it isn't clear if the problem is with the servers or OpenSSL. From ssl/tls1.h of today's snapshot, it looks to me that CipherSuites from rfc 5288 and 5289(ECC and GCM TLS1.2 CipherSuites) are not added yet. Thanks, Thulasi. On 25 May 2011 15:51, Dr. Stephen Henson st...@openssl.org wrote: On Wed, May 25, 2011, Erwann ABALEA wrote: Bonjour, Hodie VIII Kal. Iun. MMXI, shoutee scripsit: I want to run a TLS Server with support of cipher suite 'ECDH-ECDSA-AES128-SHA256' (RFC 5289). Unfortunately I can't find these cipher suite within tls1.h. ECDSA is only available with SHA1. Since openssl supports SHA256 I thought that ECDSA with SHA256 should be available, or am I missing something? I'm using openssl-1.0.0d. The ciphersuites defined in RFC5289 apply to TLS1.2 only. OpenSSL doesn't support (yet) TLS1.2. If your next question is when will OpenSSL support TLS1.2?, you'll find the answer in the archives, as it has been asked quite some times. The answer however has changed: experimental TLS v1.2 code is present in HEAD and the 1.0.1 stable branch. The code hasn't been fully tested yet so some bugs may remain. There are some known interop problems with some ECC ciphersuites: that is OpenSSL can connect to some servers but not others. At this point it isn't clear if the problem is with the servers or OpenSSL. If anyone knows of any public servers supporting TLS v1.2 I'd be interested in some interop testing. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] cipher suite ECDH-ECDSA-AES128-SHA256
On Wed, May 25, 2011, Thulasi wrote: The answer however has changed: experimental TLS v1.2 code is present in HEAD and the 1.0.1 stable branch. The code hasn't been fully tested yet so some bugs may remain. There are some known interop problems with some ECC ciphersuites: that is OpenSSL can connect to some servers but not others. At this point it isn't clear if the problem is with the servers or OpenSSL. From ssl/tls1.h of today's snapshot, it looks to me that CipherSuites from rfc 5288 and 5289(ECC and GCM TLS1.2 CipherSuites) are not added yet. Yes the initial TLS v1.2 code doesn't include GCM ciphersuites: they will be supported at some point though. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
