[prev in list] [next in list] [prev in thread] [next in thread]
List: openssl-users
Subject: Re: [openssl-users] openssl-users Digest, Vol 29, Issue 20
From: "Schmicker, Robert" <rschm2 () unh ! newhaven ! edu>
Date: 2017-04-19 15:40:16
Message-ID: DM5PR02MB2763EA885821B396F0272C20A0180 () DM5PR02MB2763 ! namprd02 ! prod ! outlook ! com
[Download RAW message or body]
After some debugging (exactly as mentioned above) it appears that the cipher suite \
does not show up in the ClientHello using the s_client/s_server. I modified the \
cipher for testing to use 512 bits instead of 64 so that it is ranked highest.
Error server side:
SSL routines:tls_post_process_client_hello:no shared \
cipher:ssl/statem/statem_srvr.c:1979
Error Client side:
SSL routines:ssl3_read_bytes:tlsv1 alert internal \
error:ssl/record/rec_layer_s3.c:1469:SSL alert number 80
Any idea why the cipher would appear under the list of supported tls1.2 ciphers, yet \
it does not appear under the ClientHello even if specified with the -cipher option?
Hmm... it's not clear why the cipher isn't being sent in client hello. What
output do you get with -security_debug_verbose option? Also try including
@SECLEVEL=0 in the cipher string.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
The -security_debug_verbose option confirmed it was not being sent in the client \
hello. Here is the s_server command used:
openssl s_server -accept 6000 -tls1_2 -cert ./cert.pem -key ./key.pem -state -debug \
-msg -security_debug_verbose -cipher 'ECDHE-RSA-MYCIPHER-SHA256:@SECLEVEL=0'
Output:
Using default temp DH parameters
Security callback: Certificate chain EE key=RSA, bits=4096, security bits=128: yes
ACCEPT
Security callback: Version=TLS 1.3: yes
SSL_accept:before SSL initialization
read from 0x55613d95d540 [0x55613d962b23] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 77 ....w
<<< ??? [length 0005]
16 03 01 00 77
read from 0x55613d95d540 [0x55613d962b28] (119 bytes => 119 (0x77))
0000 - 01 00 00 73 03 03 fa d8-cc c4 e4 fb 70 c1 49 95 ...s........p.I.
0010 - fe 21 20 76 b1 78 2a b9-db 5f b7 af b8 de 9a 2c .! v.x*.._.....,
0020 - 5e de 74 d1 8f 66 00 00-04 c0 9c 00 ff 01 00 00 ^.t..f..........
0030 - 46 00 0b 00 04 03 00 01-02 00 0a 00 0a 00 08 00 F...............
0040 - 1d 00 17 00 19 00 18 00-23 00 00 00 0d 00 20 00 ........#..... .
0050 - 1e 04 03 05 03 06 03 08-04 08 05 08 06 04 01 05 ................
0060 - 01 06 01 02 03 02 01 02-02 04 02 05 02 06 02 00 ................
0070 - 16 00 00 00 17 .....
0077 - <SPACES/NULS>
SSL_accept:before SSL initialization
<<< TLS 1.3, Handshake [length 0077], ClientHello
01 00 00 73 03 03 fa d8 cc c4 e4 fb 70 c1 49 95
fe 21 20 76 b1 78 2a b9 db 5f b7 af b8 de 9a 2c
5e de 74 d1 8f 66 00 00 04 c0 9c 00 ff 01 00 00
46 00 0b 00 04 03 00 01 02 00 0a 00 0a 00 08 00
1d 00 17 00 19 00 18 00 23 00 00 00 0d 00 20 00
1e 04 03 05 03 06 03 08 04 08 05 08 06 04 01 05
01 06 01 02 03 02 01 02 02 04 02 05 02 06 02 00
16 00 00 00 17 00 00
Security callback: Version=TLS 1.2: yes
Security callback: : yes
Security callback: Shared Signature Algorithm digest=SHA256, algorithm=ECDSA, \
security bits=128: yes Security callback: Shared Signature Algorithm digest=SHA384, \
algorithm=ECDSA, security bits=192: yes Security callback: Shared Signature Algorithm \
digest=SHA512, algorithm=ECDSA, security bits=256: yes Security callback: Shared \
Signature Algorithm digest=SHA256, algid=4, security bits=128: yes Security callback: \
Shared Signature Algorithm digest=SHA384, algid=5, security bits=192: yes Security \
callback: Shared Signature Algorithm digest=SHA512, algid=6, security bits=256: yes \
Security callback: Shared Signature Algorithm digest=SHA256, algorithm=RSA, security \
bits=128: yes Security callback: Shared Signature Algorithm digest=SHA384, \
algorithm=RSA, security bits=192: yes Security callback: Shared Signature Algorithm \
digest=SHA512, algorithm=RSA, security bits=256: yes Security callback: Shared \
Signature Algorithm digest=SHA1, algorithm=ECDSA, security bits=80: yes Security \
callback: Shared Signature Algorithm digest=SHA1, algorithm=RSA, security bits=80: \
yes Security callback: Shared Signature Algorithm digest=SHA1, algorithm=DSA, \
security bits=80: yes Security callback: Shared Signature Algorithm digest=SHA256, \
algorithm=DSA, security bits=128: yes Security callback: Shared Signature Algorithm \
digest=SHA384, algorithm=DSA, security bits=192: yes Security callback: Shared \
Signature Algorithm digest=SHA512, algorithm=DSA, security bits=256: yes Security \
callback: Shared Signature Algorithm digest=SHA256, algorithm=ECDSA, security \
bits=128: yes Security callback: Shared Signature Algorithm digest=SHA384, \
algorithm=ECDSA, security bits=192: yes Security callback: Shared Signature Algorithm \
digest=SHA512, algorithm=ECDSA, security bits=256: yes Security callback: Shared \
Signature Algorithm digest=SHA256, algid=4, security bits=128: yes Security callback: \
Shared Signature Algorithm digest=SHA384, algid=5, security bits=192: yes Security \
callback: Shared Signature Algorithm digest=SHA512, algid=6, security bits=256: yes \
Security callback: Shared Signature Algorithm digest=SHA256, algorithm=RSA, security \
bits=128: yes Security callback: Shared Signature Algorithm digest=SHA384, \
algorithm=RSA, security bits=192: yes Security callback: Shared Signature Algorithm \
digest=SHA512, algorithm=RSA, security bits=256: yes Security callback: Shared \
Signature Algorithm digest=SHA1, algorithm=ECDSA, security bits=80: yes Security \
callback: Shared Signature Algorithm digest=SHA1, algorithm=RSA, security bits=80: \
yes Security callback: Shared Signature Algorithm digest=SHA1, algorithm=DSA, \
security bits=80: yes Security callback: Shared Signature Algorithm digest=SHA256, \
algorithm=DSA, security bits=128: yes Security callback: Shared Signature Algorithm \
digest=SHA384, algorithm=DSA, security bits=192: yes Security callback: Shared \
Signature Algorithm digest=SHA512, algorithm=DSA, security bits=256: yes
> > > ??? [length 0005]
15 03 03 00 02
write to 0x55613d95d540 [0x55613d96be30] (7 bytes => 7 (0x7))
0000 - 15 03 03 00 02 02 50 ......P
> > > TLS 1.2, Alert [length 0002], fatal internal_error
02 50
SSL3 alert write:fatal:internal error
SSL_accept:error in error
ERROR
140404400543168:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared \
cipher:ssl/statem/statem_srvr.c:1979: shutting down SSL
CONNECTION CLOSED
ACCEPT
And the s_client:
openssl s_client -connect localhost:6000 -tls1_2 -state -debug -msg \
-security_debug_verbose -cipher 'ECDHE-RSA-MYCIPHER-SHA256:@SECLEVEL=0'
Output:
CONNECTED(00000003)
Security callback: Version=TLS 1.3: yes
SSL_connect:before SSL initialization
Security callback: Version=TLS 1.2: yes
Security callback: Signature Algorithm mask=SHA256, algorithm=ECDSA, security \
bits=128: yes Security callback: Signature Algorithm mask=SHA256, algid=4, security \
bits=128: yes Security callback: Signature Algorithm mask=SHA1, algorithm=DSA, \
security bits=80: yes Security callback: Version=TLS 1.2: yes
Security callback: Supported Ciphersuite=ECDHE-RSA-NIGHTGALE-SHA256, security \
bits=512: yes Security callback: Version=TLS 1.2: yes
Security callback: Supported Curve=X25519, security bits=128: yes
Security callback: Supported Curve=P-256, security bits=128: yes
Security callback: Supported Curve=P-521, security bits=256: yes
Security callback: Supported Curve=P-384, security bits=192: yes
Security callback: : yes
Security callback: Supported Signature Algorithm digest=SHA256, algorithm=ECDSA, \
security bits=128: yes Security callback: Supported Signature Algorithm \
digest=SHA384, algorithm=ECDSA, security bits=192: yes Security callback: Supported \
Signature Algorithm digest=SHA512, algorithm=ECDSA, security bits=256: yes Security \
callback: Supported Signature Algorithm digest=SHA256, algid=4, security bits=128: \
yes Security callback: Supported Signature Algorithm digest=SHA384, algid=5, security \
bits=192: yes Security callback: Supported Signature Algorithm digest=SHA512, \
algid=6, security bits=256: yes Security callback: Supported Signature Algorithm \
digest=SHA256, algorithm=RSA, security bits=128: yes Security callback: Supported \
Signature Algorithm digest=SHA384, algorithm=RSA, security bits=192: yes Security \
callback: Supported Signature Algorithm digest=SHA512, algorithm=RSA, security \
bits=256: yes Security callback: Supported Signature Algorithm digest=SHA1, \
algorithm=ECDSA, security bits=80: yes Security callback: Supported Signature \
Algorithm digest=SHA1, algorithm=RSA, security bits=80: yes Security callback: \
Supported Signature Algorithm digest=SHA1, algorithm=DSA, security bits=80: yes \
Security callback: Supported Signature Algorithm digest=SHA256, algorithm=DSA, \
security bits=128: yes Security callback: Supported Signature Algorithm \
digest=SHA384, algorithm=DSA, security bits=192: yes Security callback: Supported \
Signature Algorithm digest=SHA512, algorithm=DSA, security bits=256: yes
> > > ??? [length 0005]
16 03 01 00 77
> > > TLS 1.2, Handshake [length 0077], ClientHello
01 00 00 73 03 03 fa d8 cc c4 e4 fb 70 c1 49 95
fe 21 20 76 b1 78 2a b9 db 5f b7 af b8 de 9a 2c
5e de 74 d1 8f 66 00 00 04 c0 9c 00 ff 01 00 00
46 00 0b 00 04 03 00 01 02 00 0a 00 0a 00 08 00
1d 00 17 00 19 00 18 00 23 00 00 00 0d 00 20 00
1e 04 03 05 03 06 03 08 04 08 05 08 06 04 01 05
01 06 01 02 03 02 01 02 02 04 02 05 02 06 02 00
16 00 00 00 17 00 00
write to 0x55a837046950 [0x55a8370578f0] (124 bytes => 124 (0x7C))
0000 - 16 03 01 00 77 01 00 00-73 03 03 fa d8 cc c4 e4 ....w...s.......
0010 - fb 70 c1 49 95 fe 21 20-76 b1 78 2a b9 db 5f b7 .p.I..! v.x*.._.
0020 - af b8 de 9a 2c 5e de 74-d1 8f 66 00 00 04 c0 9c ....,^.t..f.....
0030 - 00 ff 01 00 00 46 00 0b-00 04 03 00 01 02 00 0a .....F..........
0040 - 00 0a 00 08 00 1d 00 17-00 19 00 18 00 23 00 00 .............#..
0050 - 00 0d 00 20 00 1e 04 03-05 03 06 03 08 04 08 05 ... ............
0060 - 08 06 04 01 05 01 06 01-02 03 02 01 02 02 04 02 ................
0070 - 05 02 06 02 00 16 00 00-00 17 ..........
007c - <SPACES/NULS>
SSL_connect:SSLv3/TLS write client hello
read from 0x55a837046950 [0x55a83704e653] (5 bytes => 5 (0x5))
0000 - 15 03 03 00 02 .....
<<< ??? [length 0005]
15 03 03 00 02
read from 0x55a837046950 [0x55a83704e658] (2 bytes => 2 (0x2))
0000 - 02 50 .P
<<< TLS 1.2, Alert [length 0002], fatal internal_error
02 50
SSL3 alert read:fatal:internal error
SSL_connect:error in SSLv3/TLS write client hello
139951664014784:error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal \
error:ssl/record/rec_layer_s3.c:1469:SSL alert number 80
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 124 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1492615665
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
However, when viewing the supported ciphers, the cipher I'm attempting to integrate \
shows up as the first option in priority.
openssl ciphers -s -v
ECDHE-RSA-MYCIPHER-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=MYCIPHER Mac=AEAD
It seems as though when the priority list of ciphers available is being created (I \
think its the ssl_create_cipher_list on line 1283 ssl/ssl_ciph.c) the newly created \
cipher is not being built up in the list... maybe? Because when I execute \
s_server/s_client without specifying a cipher it shows the following list server \
side:
Shared ciphers:AES128-CCM:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DH \
E-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE- \
RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RS \
A-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-S \
HA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-EC \
DSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RS \
A-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA
So I think if I can find where and how the above list is being created (I assume this \
list is generated both client and server side), then I think I'm close to being able \
to use this new cipher in SSL.
Thank you again for your expertise on this.
Rob
[Attachment #3 (text/html)]
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<blockquote>
<blockquote>
<pre wrap="">
After some debugging (exactly as mentioned above) it appears that the cipher suite \
does not show up in the ClientHello using the s_client/s_server. I modified the \
cipher for testing to use 512 bits instead of 64 so that it is ranked highest.
Error server side:
SSL routines:tls_post_process_client_hello:no shared \
cipher:ssl/statem/statem_srvr.c:1979
Error Client side:
SSL routines:ssl3_read_bytes:tlsv1 alert internal \
error:ssl/record/rec_layer_s3.c:1469:SSL alert number 80
Any idea why the cipher would appear under the list of supported tls1.2 ciphers, yet \
it does not appear under the ClientHello even if specified with the -cipher option?
</pre>
</blockquote>
</blockquote>
<blockquote>
<pre wrap="">Hmm... it's not clear why the cipher isn't being sent in client hello. \
What output do you get with -security_debug_verbose option? Also try including
@SECLEVEL=0 in the cipher string.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: <a class="moz-txt-link-freetext" \
href="http://www.openssl.org">http://www.openssl.org</a></pre> </blockquote>
<br>
The -security_debug_verbose option confirmed it was not being sent in the client \
hello. Here is the s_server command used:<br> <br>
openssl s_server -accept 6000 -tls1_2 -cert ./cert.pem -key ./key.pem -state -debug \
-msg -security_debug_verbose -cipher 'ECDHE-RSA-MYCIPHER-SHA256:@SECLEVEL=0'<br> <br>
Output:<br>
<br>
<blockquote>Using default temp DH parameters<br>
Security callback: Certificate chain EE key=RSA, bits=4096, security bits=128: \
yes<br> ACCEPT<br>
Security callback: Version=TLS 1.3: yes<br>
SSL_accept:before SSL initialization<br>
read from 0x55613d95d540 [0x55613d962b23] (5 bytes => 5 (0x5))<br>
0000 - 16 03 01 00 77   \
; \
....w<br> <<< ??? [length 0005]<br>
16 03 01 00 77<br>
read from 0x55613d95d540 [0x55613d962b28] (119 bytes => 119 (0x77))<br>
0000 - 01 00 00 73 03 03 fa d8-cc c4 e4 fb 70 c1 49 95 \
...s........p.I.<br> 0010 - fe 21 20 76 b1 78 2a b9-db 5f b7 af b8 de 9a \
2c .! v.x*.._.....,<br> 0020 - 5e de 74 d1 8f 66 00 00-04 c0 9c 00 ff 01 \
00 00 ^.t..f..........<br> 0030 - 46 00 0b 00 04 03 00 01-02 00 0a 00 0a \
00 08 00 F...............<br> 0040 - 1d 00 17 00 19 00 18 00-23 00 00 00 \
0d 00 20 00 ........#..... .<br> 0050 - 1e 04 03 05 03 06 03 08-04 08 05 \
08 06 04 01 05 ................<br> 0060 - 01 06 01 02 03 02 01 02-02 04 \
02 05 02 06 02 00 ................<br> 0070 - 16 00 00 00 \
17 \
\
.....<br> 0077 - <SPACES/NULS><br>
SSL_accept:before SSL initialization<br>
<<< TLS 1.3, Handshake [length 0077], ClientHello<br>
01 00 00 73 03 03 fa d8 cc c4 e4 fb 70 c1 49 95<br>
fe 21 20 76 b1 78 2a b9 db 5f b7 af b8 de 9a 2c<br>
5e de 74 d1 8f 66 00 00 04 c0 9c 00 ff 01 00 00<br>
46 00 0b 00 04 03 00 01 02 00 0a 00 0a 00 08 00<br>
1d 00 17 00 19 00 18 00 23 00 00 00 0d 00 20 00<br>
1e 04 03 05 03 06 03 08 04 08 05 08 06 04 01 05<br>
01 06 01 02 03 02 01 02 02 04 02 05 02 06 02 00<br>
16 00 00 00 17 00 00<br>
Security callback: Version=TLS 1.2: yes<br>
Security callback: : yes<br>
Security callback: Shared Signature Algorithm digest=SHA256, algorithm=ECDSA, \
security bits=128: yes<br> Security callback: Shared Signature Algorithm \
digest=SHA384, algorithm=ECDSA, security bits=192: yes<br> Security callback: Shared \
Signature Algorithm digest=SHA512, algorithm=ECDSA, security bits=256: yes<br> \
Security callback: Shared Signature Algorithm digest=SHA256, algid=4, security \
bits=128: yes<br> Security callback: Shared Signature Algorithm digest=SHA384, \
algid=5, security bits=192: yes<br> Security callback: Shared Signature Algorithm \
digest=SHA512, algid=6, security bits=256: yes<br> Security callback: Shared \
Signature Algorithm digest=SHA256, algorithm=RSA, security bits=128: yes<br> Security \
callback: Shared Signature Algorithm digest=SHA384, algorithm=RSA, security bits=192: \
yes<br> Security callback: Shared Signature Algorithm digest=SHA512, algorithm=RSA, \
security bits=256: yes<br> Security callback: Shared Signature Algorithm digest=SHA1, \
algorithm=ECDSA, security bits=80: yes<br> Security callback: Shared Signature \
Algorithm digest=SHA1, algorithm=RSA, security bits=80: yes<br> Security callback: \
Shared Signature Algorithm digest=SHA1, algorithm=DSA, security bits=80: yes<br> \
Security callback: Shared Signature Algorithm digest=SHA256, algorithm=DSA, security \
bits=128: yes<br> Security callback: Shared Signature Algorithm digest=SHA384, \
algorithm=DSA, security bits=192: yes<br> Security callback: Shared Signature \
Algorithm digest=SHA512, algorithm=DSA, security bits=256: yes<br> Security callback: \
Shared Signature Algorithm digest=SHA256, algorithm=ECDSA, security bits=128: yes<br> \
Security callback: Shared Signature Algorithm digest=SHA384, algorithm=ECDSA, \
security bits=192: yes<br> Security callback: Shared Signature Algorithm \
digest=SHA512, algorithm=ECDSA, security bits=256: yes<br> Security callback: Shared \
Signature Algorithm digest=SHA256, algid=4, security bits=128: yes<br> Security \
callback: Shared Signature Algorithm digest=SHA384, algid=5, security bits=192: \
yes<br> Security callback: Shared Signature Algorithm digest=SHA512, algid=6, \
security bits=256: yes<br> Security callback: Shared Signature Algorithm \
digest=SHA256, algorithm=RSA, security bits=128: yes<br> Security callback: Shared \
Signature Algorithm digest=SHA384, algorithm=RSA, security bits=192: yes<br> Security \
callback: Shared Signature Algorithm digest=SHA512, algorithm=RSA, security bits=256: \
yes<br> Security callback: Shared Signature Algorithm digest=SHA1, algorithm=ECDSA, \
security bits=80: yes<br> Security callback: Shared Signature Algorithm digest=SHA1, \
algorithm=RSA, security bits=80: yes<br> Security callback: Shared Signature \
Algorithm digest=SHA1, algorithm=DSA, security bits=80: yes<br> Security callback: \
Shared Signature Algorithm digest=SHA256, algorithm=DSA, security bits=128: yes<br> \
Security callback: Shared Signature Algorithm digest=SHA384, algorithm=DSA, security \
bits=192: yes<br> Security callback: Shared Signature Algorithm digest=SHA512, \
algorithm=DSA, security bits=256: yes<br> >>> ??? [length 0005]<br>
15 03 03 00 02<br>
write to 0x55613d95d540 [0x55613d96be30] (7 bytes => 7 (0x7))<br>
0000 - 15 03 03 00 02 02 \
50 \
\
......P<br> >>> TLS 1.2, Alert [length 0002], fatal internal_error<br>
02 50<br>
SSL3 alert write:fatal:internal error<br>
SSL_accept:error in error<br>
ERROR<br>
140404400543168:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared \
cipher:ssl/statem/statem_srvr.c:1979:<br> shutting down SSL<br>
CONNECTION CLOSED<br>
ACCEPT<br>
</blockquote>
<br>
And the s_client:<br>
<br>
openssl s_client -connect localhost:6000 -tls1_2 -state -debug -msg \
-security_debug_verbose -cipher 'ECDHE-RSA-MYCIPHER-SHA256:@SECLEVEL=0'<br> <br>
Output:<br>
<br>
<blockquote>CONNECTED(00000003)<br>
Security callback: Version=TLS 1.3: yes<br>
SSL_connect:before SSL initialization<br>
Security callback: Version=TLS 1.2: yes<br>
Security callback: Signature Algorithm mask=SHA256, algorithm=ECDSA, security \
bits=128: yes<br> Security callback: Signature Algorithm mask=SHA256, algid=4, \
security bits=128: yes<br> Security callback: Signature Algorithm mask=SHA1, \
algorithm=DSA, security bits=80: yes<br> Security callback: Version=TLS 1.2: yes<br>
Security callback: Supported Ciphersuite=ECDHE-RSA-NIGHTGALE-SHA256, security \
bits=512: yes<br> Security callback: Version=TLS 1.2: yes<br>
Security callback: Supported Curve=X25519, security bits=128: yes<br>
Security callback: Supported Curve=P-256, security bits=128: yes<br>
Security callback: Supported Curve=P-521, security bits=256: yes<br>
Security callback: Supported Curve=P-384, security bits=192: yes<br>
Security callback: : yes<br>
Security callback: Supported Signature Algorithm digest=SHA256, algorithm=ECDSA, \
security bits=128: yes<br> Security callback: Supported Signature Algorithm \
digest=SHA384, algorithm=ECDSA, security bits=192: yes<br> Security callback: \
Supported Signature Algorithm digest=SHA512, algorithm=ECDSA, security bits=256: \
yes<br> Security callback: Supported Signature Algorithm digest=SHA256, algid=4, \
security bits=128: yes<br> Security callback: Supported Signature Algorithm \
digest=SHA384, algid=5, security bits=192: yes<br> Security callback: Supported \
Signature Algorithm digest=SHA512, algid=6, security bits=256: yes<br> Security \
callback: Supported Signature Algorithm digest=SHA256, algorithm=RSA, security \
bits=128: yes<br> Security callback: Supported Signature Algorithm digest=SHA384, \
algorithm=RSA, security bits=192: yes<br> Security callback: Supported Signature \
Algorithm digest=SHA512, algorithm=RSA, security bits=256: yes<br> Security callback: \
Supported Signature Algorithm digest=SHA1, algorithm=ECDSA, security bits=80: yes<br> \
Security callback: Supported Signature Algorithm digest=SHA1, algorithm=RSA, security \
bits=80: yes<br> Security callback: Supported Signature Algorithm digest=SHA1, \
algorithm=DSA, security bits=80: yes<br> Security callback: Supported Signature \
Algorithm digest=SHA256, algorithm=DSA, security bits=128: yes<br> Security callback: \
Supported Signature Algorithm digest=SHA384, algorithm=DSA, security bits=192: \
yes<br> Security callback: Supported Signature Algorithm digest=SHA512, \
algorithm=DSA, security bits=256: yes<br> >>> ??? [length 0005]<br>
16 03 01 00 77<br>
>>> TLS 1.2, Handshake [length 0077], ClientHello<br>
01 00 00 73 03 03 fa d8 cc c4 e4 fb 70 c1 49 95<br>
fe 21 20 76 b1 78 2a b9 db 5f b7 af b8 de 9a 2c<br>
5e de 74 d1 8f 66 00 00 04 c0 9c 00 ff 01 00 00<br>
46 00 0b 00 04 03 00 01 02 00 0a 00 0a 00 08 00<br>
1d 00 17 00 19 00 18 00 23 00 00 00 0d 00 20 00<br>
1e 04 03 05 03 06 03 08 04 08 05 08 06 04 01 05<br>
01 06 01 02 03 02 01 02 02 04 02 05 02 06 02 00<br>
16 00 00 00 17 00 00<br>
write to 0x55a837046950 [0x55a8370578f0] (124 bytes => 124 (0x7C))<br>
0000 - 16 03 01 00 77 01 00 00-73 03 03 fa d8 cc c4 e4 \
....w...s.......<br> 0010 - fb 70 c1 49 95 fe 21 20-76 b1 78 2a b9 db 5f \
b7 .p.I..! v.x*.._.<br> 0020 - af b8 de 9a 2c 5e de 74-d1 8f 66 00 00 04 \
c0 9c ....,^.t..f.....<br> 0030 - 00 ff 01 00 00 46 00 0b-00 04 03 00 01 \
02 00 0a .....F..........<br> 0040 - 00 0a 00 08 00 1d 00 17-00 19 00 18 \
00 23 00 00 .............#..<br> 0050 - 00 0d 00 20 00 1e 04 03-05 03 06 \
03 08 04 08 05 ... ............<br> 0060 - 08 06 04 01 05 01 06 01-02 03 \
02 01 02 02 04 02 ................<br> 0070 - 05 02 06 02 00 16 00 00-00 \
17 \
..........<br> 007c - <SPACES/NULS><br>
SSL_connect:SSLv3/TLS write client hello<br>
read from 0x55a837046950 [0x55a83704e653] (5 bytes => 5 (0x5))<br>
0000 - 15 03 03 00 02   \
; \
.....<br> <<< ??? [length 0005]<br>
15 03 03 00 02<br>
read from 0x55a837046950 [0x55a83704e658] (2 bytes => 2 (0x2))<br>
0000 - 02 50 &n \
bsp; &nbs \
p; \
.P<br> <<< TLS 1.2, Alert [length 0002], fatal internal_error<br>
02 50<br>
SSL3 alert read:fatal:internal error<br>
SSL_connect:error in SSLv3/TLS write client hello<br>
139951664014784:error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal \
error:ssl/record/rec_layer_s3.c:1469:SSL alert number 80<br>
---<br>
no peer certificate available<br>
---<br>
No client certificate CA names sent<br>
---<br>
SSL handshake has read 7 bytes and written 124 bytes<br>
Verification: OK<br>
---<br>
New, (NONE), Cipher is (NONE)<br>
Secure Renegotiation IS NOT supported<br>
Compression: NONE<br>
Expansion: NONE<br>
No ALPN negotiated<br>
SSL-Session:<br>
Protocol : TLSv1.2<br>
Cipher : 0000<br>
Session-ID: <br>
Session-ID-ctx: <br>
Master-Key: <br>
PSK identity: None<br>
PSK identity hint: None<br>
SRP username: None<br>
Start Time: 1492615665<br>
Timeout : 7200 (sec)<br>
Verify return code: 0 (ok)<br>
Extended master secret: no<br>
---<br>
</blockquote>
However, when viewing the supported ciphers, the cipher I'm attempting to integrate \
shows up as the first option in priority.<br> <br>
<blockquote>openssl ciphers -s -v<br>
ECDHE-RSA-MYCIPHER-SHA256 TLSv1.2 Kx=ECDH Au=RSA \
Enc=MYCIPHER Mac=AEAD<br> </blockquote>
<br>
It seems as though when the priority list of ciphers available is being created (I \
think its the ssl_create_cipher_list on line 1283 ssl/ssl_ciph.c) the newly created \
cipher is not being built up in the list... maybe? Because when I execute \
s_server/s_client without specifying a cipher it shows the following list server \
side:<br> <br>
Shared ciphers:AES128-CCM:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DH \
E-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE- \
RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RS \
A-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-S \
HA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-EC \
DSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RS \
A-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA<br>
<br>
So I think if I can find where and how the above list is being created (I assume this \
list is generated both client and server side), then I think I'm close to being able \
to use this new cipher in SSL.<br> <br>
Thank you again for your expertise on this.<br>
Rob<br>
<br>
<br>
</body>
</html>
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
--===============1420493383518508273==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic