Hello,
> I am hitting a strange problem with Openssl. Recently I migrated from
> OpenSSL-0.9.8a to OpenSSL-0.9.8d, from the release notes, I see that some
> fixes have gone into cipher selection logic of OpenSSL.
>
> Now for the same CLIENT HELLO message (same as in no diff to cipher order
> or ssl version from IE), OpenSSL-0.9.8d selects DH cipher suite when
> RC4-MD5, DES, 3DES, AES are sent ahead of this DH in the client hello.
>
> Now my question is simple.
>
> 1. Is this behaviour only restricted to OpenSSL-0.9.8d or other versions
> as well?
> 2. Why does this happen? Kindof an attack as a weak suite is negotiated.
> 3. When will a DH be selected by the server.
>
> Note: cipher selection priority is pointing to server (coded that way in
> the application).
My proposition is to look how this cipher suite selection process works
in practice.
To check this we will need:
- compiled debug version of OpenSSL-0.9.8a
- compiled debug version of OpenSSL-0.9.8d
- ssldump
To get debug version you may compile OpenSSL as follows:
$ pwd
/tmp/openssl-0.9.8a
$ ./Configure threads shared -DKSSL_DEBUG -DSSL_DEBUG -DTLS_DEBUG \
-DCIPHER_DEBUG -DPKT_DEBUG --prefix=/usr/local/openssl-0.9.8a-debug \
linux-elf -g
$ make
$ make test
$ make install
$ pwd
/tmp/openssl-0.9.8d
$ ./Configure threads shared -DKSSL_DEBUG -DSSL_DEBUG -DTLS_DEBUG \
-DCIPHER_DEBUG -DPKT_DEBUG --prefix=/usr/local/openssl-0.9.8d-debug \
linux-elf -g
$ make
$ make test
$ make install
After this we should check what shared libraries are used by openssl
binary (just to be sure):
$ ldd /usr/local/openssl-0.9.8a-debug/bin/openssl | grep openssl
libssl.so.0.9.8=>/usr/local/openssl-0.9.8a-debug/lib/libssl.so.0.9.8
libcrypto.so.0.9.8=>/usr/local/openssl-0.9.8a-debug/lib/libcrypto.so.0.9.8
$ ldd /usr/local/openssl-0.9.8d-debug/bin/openssl | grep openssl
libssl.so.0.9.8=>/usr/local/openssl-0.9.8d-debug/lib/libssl.so.0.9.8
libcrypto.so.0.9.8=>/usr/local/openssl-0.9.8d-debug/lib/libcrypto.so.0.9.8
Compiled in this way OpenSSL will display a lot of additional
information to stdout.
Next you may run "openssl s_server ..." test:
$ /usr/local/openssl-0.9.8a-debug/bin/openssl s_server -key key.pem
-cert cert.pem -accept 10443
....
<DHE-RSA-AES256-SHA>
<DHE-DSS-AES256-SHA>
<AES256-SHA>
<EDH-RSA-DES-CBC3-SHA>
<EDH-DSS-DES-CBC3-SHA>
<DES-CBC3-SHA>
<DES-CBC3-MD5>
<DHE-RSA-AES128-SHA>
<DHE-DSS-AES128-SHA>
<AES128-SHA>
<IDEA-CBC-SHA>
<IDEA-CBC-MD5>
<RC2-CBC-MD5>
<DHE-DSS-RC4-SHA>
<RC4-SHA>
<RC4-MD5>
<RC4-MD5>
<RC4-64-MD5>
<EXP1024-DHE-DSS-DES-CBC-SHA>
<EXP1024-DES-CBC-SHA>
<EXP1024-RC2-CBC-MD5>
<EDH-RSA-DES-CBC-SHA>
<EDH-DSS-DES-CBC-SHA>
<DES-CBC-SHA>
<DES-CBC-MD5>
<EXP1024-DHE-DSS-RC4-SHA>
<EXP1024-RC4-SHA>
<EXP1024-RC4-MD5>
<EXP-EDH-RSA-DES-CBC-SHA>
<EXP-EDH-DSS-DES-CBC-SHA>
<EXP-DES-CBC-SHA>
<EXP-RC2-CBC-MD5>
<EXP-RC2-CBC-MD5>
<EXP-RC4-MD5>
<EXP-RC4-MD5>
....
ACCEPT <-- waiting for connection
.... <-- handshake begins (with IE7)
Server has 35 from 0x9ed9c88: <-- server ciphers
0x3aceb8:DHE-RSA-AES256-SHA
0x3ace90:DHE-DSS-AES256-SHA
0x3ace18:AES256-SHA
0x3acbe8:EDH-RSA-DES-CBC3-SHA
0x3acb70:EDH-DSS-DES-CBC3-SHA
0x3aca08:DES-CBC3-SHA
0x3ac630:DES-CBC3-MD5
0x3acdc8:DHE-RSA-AES128-SHA
0x3acda0:DHE-DSS-AES128-SHA
0x3acd28:AES128-SHA
0x3ac990:IDEA-CBC-SHA
0x3ac5e0:IDEA-CBC-MD5
0x3ac590:RC2-CBC-MD5
0x3ad368:DHE-DSS-RC4-SHA
0x3ac940:RC4-SHA
0x3ac918:RC4-MD5
0x3ac540:RC4-MD5
0x3ac658:RC4-64-MD5
0x3ad2f0:EXP1024-DHE-DSS-DES-CBC-SHA
0x3ad2c8:EXP1024-DES-CBC-SHA
0x3ad2a0:EXP1024-RC2-CBC-MD5
0x3acbc0:EDH-RSA-DES-CBC-SHA
0x3acb48:EDH-DSS-DES-CBC-SHA
0x3ac9e0:DES-CBC-SHA
0x3ac608:DES-CBC-MD5
0x3ad340:EXP1024-DHE-DSS-RC4-SHA
0x3ad318:EXP1024-RC4-SHA
0x3ad278:EXP1024-RC4-MD5
0x3acb98:EXP-EDH-RSA-DES-CBC-SHA
0x3acb20:EXP-EDH-DSS-DES-CBC-SHA
0x3ac9b8:EXP-DES-CBC-SHA
0x3ac968:EXP-RC2-CBC-MD5
0x3ac5b8:EXP-RC2-CBC-MD5
0x3ac8f0:EXP-RC4-MD5
0x3ac568:EXP-RC4-MD5
Client sent 11 from 0x9ef2aa8: <-- client ciphers (shared with server)
0x3ac918:RC4-MD5
0x3ac940:RC4-SHA
0x3aca08:DES-CBC3-SHA
0x3ac9e0:DES-CBC-SHA
0x3ad318:EXP1024-RC4-SHA
0x3ad2c8:EXP1024-DES-CBC-SHA
0x3ac8f0:EXP-RC4-MD5
0x3ac968:EXP-RC2-CBC-MD5
0x3acb70:EDH-DSS-DES-CBC3-SHA
0x3acb48:EDH-DSS-DES-CBC-SHA
0x3ad2f0:EXP1024-DHE-DSS-DES-CBC-SHA
rt=1 rte=1 dht=1 re=1 ree=0 rs=0 ds=0 dhr=0 dhd=0
ssl3_choose_cipher 0 alg= 2420101
1:[00000101:00000991]0x3ac918:RC4-MD5 <-- RC4-MD5 selected
$ /usr/local/openssl-0.9.8d-debug/bin/openssl s_server -key key.pem
-cert cert.pem -accept 10443
....
<DHE-RSA-AES256-SHA>
<DHE-DSS-AES256-SHA>
<AES256-SHA>
<EDH-RSA-DES-CBC3-SHA>
<EDH-DSS-DES-CBC3-SHA>
<DES-CBC3-SHA>
<DES-CBC3-MD5>
<DHE-RSA-AES128-SHA>
<DHE-DSS-AES128-SHA>
<AES128-SHA>
<IDEA-CBC-SHA>
<IDEA-CBC-MD5>
<RC2-CBC-MD5>
<RC4-SHA>
<RC4-MD5>
<RC4-MD5>
<EDH-RSA-DES-CBC-SHA>
<EDH-DSS-DES-CBC-SHA>
<DES-CBC-SHA>
<DES-CBC-MD5>
<EXP-EDH-RSA-DES-CBC-SHA>
<EXP-EDH-DSS-DES-CBC-SHA>
<EXP-DES-CBC-SHA>
<EXP-RC2-CBC-MD5>
<EXP-RC2-CBC-MD5>
<EXP-RC4-MD5>
<EXP-RC4-MD5>
....
ACCEPT <-- waiting for connection
.... <-- handshake begins (with IE7)
Server has 27 from 0x99d0a80: <-- server ciphers
0x745498:DHE-RSA-AES256-SHA
0x745470:DHE-DSS-AES256-SHA
0x7453f8:AES256-SHA
0x7451c8:EDH-RSA-DES-CBC3-SHA
0x745150:EDH-DSS-DES-CBC3-SHA
0x744fe8:DES-CBC3-SHA
0x744c30:DES-CBC3-MD5
0x7453a8:DHE-RSA-AES128-SHA
0x745380:DHE-DSS-AES128-SHA
0x745308:AES128-SHA
0x744f70:IDEA-CBC-SHA
0x744be0:IDEA-CBC-MD5
0x744b90:RC2-CBC-MD5
0x744f20:RC4-SHA
0x744ef8:RC4-MD5
0x744b40:RC4-MD5
0x7451a0:EDH-RSA-DES-CBC-SHA
0x745128:EDH-DSS-DES-CBC-SHA
0x744fc0:DES-CBC-SHA
0x744c08:DES-CBC-MD5
0x745178:EXP-EDH-RSA-DES-CBC-SHA
0x745100:EXP-EDH-DSS-DES-CBC-SHA
0x744f98:EXP-DES-CBC-SHA
0x744f48:EXP-RC2-CBC-MD5
0x744bb8:EXP-RC2-CBC-MD5
0x744ed0:EXP-RC4-MD5
0x744b68:EXP-RC4-MD5
Client sent 8 from 0x99e9968: <-- client ciphers (shared with server)
0x744ef8:RC4-MD5
0x744f20:RC4-SHA
0x744fe8:DES-CBC3-SHA
0x744fc0:DES-CBC-SHA
0x744ed0:EXP-RC4-MD5
0x744f48:EXP-RC2-CBC-MD5
0x745150:EDH-DSS-DES-CBC3-SHA
0x745128:EDH-DSS-DES-CBC-SHA
rt=1 rte=1 dht=1 re=1 ree=0 rs=0 ds=0 dhr=0 dhd=0
ssl3_choose_cipher 0 alg= 2420101
1:[00000101:00000991]0x744ef8:RC4-MD5 <-- RC4-MD5 selected
As you see in may test with IE7 both versions of OpenSSL
negotiated the same cipher (RC4-MD5), but I'm using in
this test default cipher.
If you set ciphers to some vaule in your application, you may add
"-cipher" option to this test with your cipher suite.
If you disable/enable some protocols in your application you
may expriment with -ssl3, -tls1 options.
You may either test "-no_dhe" option to disable DHE* ciphers.
You may also link your application with this debug libraries
and check real negotiations.
In both cases, IE7 send the same client hello (11 ciphers)
as ssldump shows (with TLS1 proposition):
$ ssldump -n -i eth0
New TCP connection #1: admin.malkom.pl(2285) <-> nx9010.malkom.pl(10443)
1 1 0.0012 (0.0012) C>S Handshake
ClientHello
Version 3.1
resume [32]=
20 57 84 eb 2a d5 57 5a a1 f9 34 2f 13 b5 b1 43
b5 0f f6 c5 37 b5 9f 4c 48 76 0c 62 ac a4 7b 4e
cipher suites
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_DES_CBC_SHA
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
TLS_RSA_EXPORT_WITH_RC4_40_MD5
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_DES_CBC_SHA
TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
compression methods
NULL
1 2 0.0066 (0.0053) S>C Handshake
ServerHello
Version 3.1
session_id[32]=
9f 3f b4 c2 a4 28 af 2e b5 a6 e2 3c 87 76 a1 d7
48 5f ab 44 81 04 ff c9 05 da c8 5b e1 82 f0 db
cipherSuite TLS_RSA_WITH_RC4_128_MD5 <-- server choice
compressionMethod NULL
In this way you may test other version of OpenSSL.
Hope this helps.
Note:
If you will get in ssl/ directory information of undefined DES_KEY_SZ,
DES_SCHEDULE_SZ - comment this printf's and recompile.
Best regards,
--
Marek Marcola <[EMAIL PROTECTED]>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
