Greetings,
It seems that Openssl doesn't always obey the server's priority
ordered list of ciphers (set with SSL_set_cipher_list()), even when
that list is syntactically correct, when the ciphers are available,
and when the client capabilities don't constrain the choice.
Example: I can specify on the server a cipher list where AES128-SHA has
the highest priority, and is supported by the client, but is not chosen
during the handshake.
I first noticed this when trying to configure mod_ssl (Apache httpd),
using OpenSSL/0.9.8m. I subsequently verified the same behavior
by writing client and server programs that directly call the Openssl
library (0.9.8h). I have also verified using s_client and Firefox as
clients against mod_ssl and against my own server program.
The "custom" cipher string I'm using in mod_ssl's SSLCipherSuite
directive, and in my own server program, is:
!ADH:!eNULL:!EXP:!LOW:AES128-SHA:DHE-RSA-AES128-SHA:HIGH:MEDIUM
When this string is used, the cipher selected by the handshake is
DHE-RSA-AES256-SHA, even when the client supports AES128-SHA.
Here's what I observed when I tested using my own client and
server programs with various cipher lists. In the following table,
"default" is what you get if you don't specify a cipher list by calling
SSL_set_cipher_list(), custom is the string above (starting with !ADH),
and AES128-SHA means that ONLY that single cipher was specified in
SSL_set_cipher_list(). Immediately before the handshake,
SSL_get_cipher_list() was called in all cases, on both server and client,
to verify the effective cipher list. On both client and server, the selected
cipher is obtained by calling SSL_get_current_cipher() after the handshake.
The current cipher can also be obtained by examining s_client's output, and
by examining the certificate details in Firefox.
Server Client Result
------ ------ ------
default default DHE-RSA-AES256-SHA
custom default DHE-RSA-AES256-SHA
AES128-SHA default AES128-SHA
default AES128-SHA AES128-SHA
As indicated in the table, when I set AES128-SHA to be the ONLY
cipher on either server or client, AES128-SHA is chosen in the handshake.
But it isn't chosen in the custom,default case.
More details:
When I set my custom cipher list
!ADH:!eNULL:!EXP:!LOW:AES128-SHA:DHE-RSA-AES128-SHA:HIGH:MEDIUM
on the server (using SSL_set_cipher_list()), and call SSL_get_cipher_list()
on the server immediately before the handshake, here's the priority ordered
list that the OpenSSL library reports:
priority: 0: AES128-SHA
priority: 1: DHE-RSA-AES128-SHA
priority: 2: DHE-RSA-AES256-SHA
priority: 3: DHE-DSS-AES256-SHA
priority: 4: AES256-SHA
priority: 5: DHE-DSS-AES128-SHA
priority: 6: EDH-RSA-DES-CBC3-SHA
priority: 7: EDH-DSS-DES-CBC3-SHA
priority: 8: DES-CBC3-SHA
priority: 9: DES-CBC3-MD5
priority: 10: RC4-SHA
priority: 11: RC4-MD5
priority: 12: RC2-CBC-MD5
priority: 13: RC4-MD5
On both server and client, the default list is:
priority: 0: DHE-RSA-AES256-SHA
priority: 1: DHE-DSS-AES256-SHA
priority: 2: AES256-SHA
priority: 3: EDH-RSA-DES-CBC3-SHA
priority: 4: EDH-DSS-DES-CBC3-SHA
priority: 5: DES-CBC3-SHA
priority: 6: DES-CBC3-MD5
priority: 7: DHE-RSA-AES128-SHA
priority: 8: DHE-DSS-AES128-SHA
priority: 9: AES128-SHA
priority: 10: RC2-CBC-MD5
priority: 11: RC4-SHA
priority: 12: RC4-MD5
priority: 13: RC4-MD5
priority: 14: EDH-RSA-DES-CBC-SHA
priority: 15: EDH-DSS-DES-CBC-SHA
priority: 16: DES-CBC-SHA
priority: 17: DES-CBC-MD5
priority: 18: EXP-EDH-RSA-DES-CBC-SHA
priority: 19: EXP-EDH-DSS-DES-CBC-SHA
priority: 20: EXP-DES-CBC-SHA
priority: 21: EXP-RC2-CBC-MD5
priority: 22: EXP-RC2-CBC-MD5
priority: 23: EXP-RC4-MD5
priority: 24: EXP-RC4-MD5
Any idea why my custom list doesn't result in AES128-SHA being selected
in the handshake?
-Mike
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
