cipher suite issue?

Jeffrey Ricks Mon, 04 Dec 2000 16:25:36 -0800
Hello,

I'm having a weird problem.  Here's my situation:

My server is set up to do both DSA and RSA.  The DSA works fine.  No
questions there.  To accomplish this, I've set the cipher suite list in
my httpd.conf file to be:

SSLCipherSuite 3DES:!ADH:!SSLv2

which evaluates, using the opnessl ciphers -v '3DES:!ADH:!SSLv2', to:

EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168)
Mac=SHA1
EDH-DSS-DES-CBC3-SHA    SSLv3 Kx=DH       Au=DSS  Enc=3DES(168)
Mac=SHA1
DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168)
Mac=SHA1

the DSS cipher is for my DSA operations, and the other two for my RSA
operations.  The EDH-RSA cipher works fine from all clients
(openssl-based apps, java apps, s_client), no problems there.

If I use my java client with the DES-CBC3-SHA cipher, everything works
fine.  It's when I use that cipher with any openssl-based apps
(including s_client) that things don't work.  If I run this:

openssl s_client -connect myserver:443 -cert /tmp/s_client.crt -key
/tmp/s_client.key -CAfile /tmp/s_clientCA.crt -tls1 -cipher
DES-CBC3-SHA -state

I get the following output:
.
.
.
GET /servlets/TestServlet HTTP/1.0 (I type this)

SSL_connect:SSL renegotiate ciphers
SSL_connect:SSLv3 write client hello A
SSL_connect:SSLv3 read server hello A
SSL_connect:SSLv3 read server certificate A
SSL3 alert write:fatal:illegal parameter
SSL_connect:error in SSLv3 read server key exchange A
27309:error:1408E098:SSL routines:SSL3_GET_MESSAGE:excessive message
size:s3_both.c:302:

and the following shows up in my ssl_request_log:

[04/Dec/2000:18:55:07 -0500] ipaddress TLSv1 (NONE) "GET
/servlets/TestServlet HTTP/1.0" 289

Notice the missing (NONE) cipher suite.

If I run the same test but use EDH-RSA-DES-CBC3-SHA as the cipher, it
works fine. Again, my java client works fine when using the same
certs/keys/server and DES-CBC3-SHA.

Can anyne tell me what might be going wrong?

Thanks,

Jeff

P.S.  One more data point is that EDH-RSA-DES-BC3-SHA works with and
without client authentication being done.  The DES-CBC3-SHA cipher only
works if client authentication is off.


__________________________________________________
Do You Yahoo!?
Yahoo! Shopping - Thousands of Stores. Millions of Products.
http://shopping.yahoo.com/
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]
cipher suite issue?

Reply via email to
