> From: owner-openssl-us...@openssl.org On Behalf Of Nouefel > Sent: Tuesday, 01 March, 2011 21:26
> Answering your questions: > Are you even sure HOSTNAME:443 and HOSTNAME:8000 are > the same host? > Yes . Its a device . > > 2. 443 is disabled , Hence it disconnects. > What you posted is a failure to connect (timeout). That's not the same thing as a disconnect. It is *a* reasonable thing to do for 'disabled' (though I don't think the best; I prefer to explicitly refuse). > > 3. 8000 is the port we used to communicate. I need to make > sure device does > not support weak security. > Hence , I ran the openssl commands where for 8000 it > connected and writeErr > . > And you don't know why. Try -msg or -debug as I said, that should at least narrow it down. If you have (other) access to the device, does it have relevant log information? But even if it rejects one particular weak handshake, that doesn't prove it will reject all. And even if it uses only strong ciphersuite(s), there are other ways for security to be weak or fail. Many other ways. You can prove it is capable of supporting strong crypto, which may or may not be strong security. You can't prove it doesn't support weak security, except by inspection. (And even then, if there are bugs/flaws the vendor missed, an outside examiner may not catch them either.) > 4. when you say weak algorithm , We are using SSLV3 ciphers used > SSL_RSA_WITH_RC4_128_SHA. > Your posted cases don't show that, but if you are, that's usually good enough assuming RSA >= 1024 bits, which isn't enforced by the protocol or by openssl; some people prefer the safety margin of 1536 or 2048. It's not the only good choice; there are many others. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
