Re: ADH ciphers with SSL_ALLOW_ADH - do they work?

Thu, 12 Aug 1999 06:50:37 -0700 

Hi,

Yes, I can use the ADH cipher suites. I'm doing the same thing you do:

    1. I compile the library with SSL_ALLOW_ADH
    2. I set the cipher suite to include the ADH cipher (which is not enabled
by default)

I'm also calling "SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);" to disable
certificates. I think you also need to define DH parameters, at least on the
server side, if you want to use ADH. I hope this will help...


Vincent Levesque


Jeffrey Altman wrote:

> I am setting the cipher list on both my client and server
>
>   ADH-DES-CBC3-SHA:ADH-DES-CBC-SHA
>
> and then attempt to make a TLSv1 connection and get the following
> error:
>
>   [TLS - handshake starting]
>   [TLS - FAILED]
>   235:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
>     failure:.\ssl\s3_pkt.c:774:SSL alert number 40
>
> Is anyone successfully using these ciphers?
>
> The reason why I want them is that by using them I do not need to
> worry about certificates.  I want to use TLS for privacy but I am
> willing to use Kerberos V5 for mutual end-user to host authentication.
> I plan to avoid the man in the middle attack which is possible when
> using the ADH ciphers by including the following ASN.1 structure
> in the Kerberos V5 checksum field.
>
>  TLS_CHECKSUM_DATA ::= SEQUENCE {
>    authentication-type-pair OCTET_STRING,  -- 2 bytes
>    SSLversion              INTEGER,        -- SSL version number
>    Cipher                  OCTET_STRING,   -- the 3 byte cipher ID
>    Session_ID              OCTET_STRING,   -- the Session ID
>    Master_key              OCTET_STRING,   -- the master key
>  }
>
>     Jeffrey Altman * Sr.Software Designer * Kermit-95 for Win32 and OS/2
>                  The Kermit Project * Columbia University
>               612 West 115th St #716 * New York, NY * 10025
>   http://www.kermit-project.org/k95.html * [EMAIL PROTECTED]
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [EMAIL PROTECTED]
> Automated List Manager                           [EMAIL PROTECTED]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to