Re: Restricting ciphers list to RSA only in Client Hello

Tue, 03 May 2011 03:27:44 -0700 

Won't be able to paste the entire source code  since the SIP application
uses SipXces  stack. SipStack has been built with open ssl which calls
SSL_connect as shown below


void OsSSLConnectionSocket::SSLInitSocket(int socket, long timeoutInSecs)

{

if (mIsConnected)

{

int err = -1;

// TODO: eventually this should allow for other SSL contexts...

mSSL = OsSharedSSL::get()->getServerConnection();

if (mSSL && (socketDescriptor > OS_INVALID_SOCKET_DESCRIPTOR))

{

SSL_set_fd (mSSL, socketDescriptor);

err = SSL_connect(mSSL);

Any pointers that you think I could verify from my end would be helpful.

Thanks and Regards,
Gauri
On Tue, May 3, 2011 at 10:42 AM, derleader mail <derlea...@abv.bg> wrote:

>   Hi All,
>
> I have built an SIP test application using openssl. I am trying to restrict
> the ciphers sent by this application in Client Hello to those with only RSA
> key exchange.
>
> Is there a way to configure it in OpenSSL?
>
> I tried to compile the source code with SSL_DEFAULT_CIPHER_LIST set to
> "RSA:!aNULL:!eNULL:+RC4:@STRENGTH" in ssl.h.
>
> When I run openssl ciphers -v the ciphers listed are just those with RSA,
>
> C:\Openssl_src\openssl-0.9.8f\openssl-0.9.8f\out32dll>openssl.exe ciphers
> -v
> AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
> DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
> DES-CBC3-MD5            SSLv2 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=MD5
> AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
> IDEA-CBC-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=IDEA(128) Mac=SHA1
> IDEA-CBC-MD5            SSLv2 Kx=RSA      Au=RSA  Enc=IDEA(128) Mac=MD5
> RC2-CBC-MD5             SSLv2 Kx=RSA      Au=RSA  Enc=RC2(128)  Mac=MD5
> RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
> RC4-MD5                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5
> RC4-MD5                 SSLv2 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5
> DES-CBC-SHA             SSLv3 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=SHA1
> DES-CBC-MD5             SSLv2 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=MD5
> EXP-DES-CBC-SHA         SSLv3 Kx=RSA(512) Au=RSA  Enc=DES(40)   Mac=SHA1
> export
> EXP-RC2-CBC-MD5         SSLv3 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5
> export
> EXP-RC2-CBC-MD5         SSLv2 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5
> export
> EXP-RC4-MD5             SSLv3 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5
> export
> EXP-RC4-MD5             SSLv2 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5
> export
>
>
> *but when I build the application using these new libraries the
> application still sends all the ciphers as shown below*
>
> Cipher Spec: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x000039)
> Cipher Spec: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x000038)
> Cipher Spec: TLS_RSA_WITH_AES_256_CBC_SHA (0x000035)
> Cipher Spec: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x000016)
> Cipher Spec: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x000013)
> Cipher Spec: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x00000a)
> Cipher Spec: SSL2_DES_192_EDE3_CBC_WITH_MD5 (0x0700c0)
> Cipher Spec: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x000033)
> Cipher Spec: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x000032)
> Cipher Spec: TLS_RSA_WITH_AES_128_CBC_SHA (0x00002f)
> Cipher Spec: TLS_RSA_WITH_IDEA_CBC_SHA (0x000007)
> Cipher Spec: SSL2_IDEA_128_CBC_WITH_MD5 (0x050080)
> Cipher Spec: SSL2_RC2_CBC_128_CBC_WITH_MD5 (0x030080)
> Cipher Spec: TLS_RSA_WITH_RC4_128_SHA (0x000005)
> Cipher Spec: TLS_RSA_WITH_RC4_128_MD5 (0x000004)
> Cipher Spec: SSL2_RC4_128_WITH_MD5 (0x010080)
> Cipher Spec: TLS_DHE_RSA_WITH_DES_CBC_SHA (0x000015)
> Cipher Spec: TLS_DHE_DSS_WITH_DES_CBC_SHA (0x000012)
> Cipher Spec: TLS_RSA_WITH_DES_CBC_SHA (0x000009)
> Cipher Spec: SSL2_DES_64_CBC_WITH_MD5 (0x060040)
> Cipher Spec: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x000014)
> Cipher Spec: TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA (0x000011)
> Cipher Spec: TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x000008)
> Cipher Spec: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x000006)
> Cipher Spec: SSL2_RC2_CBC_128_CBC_WITH_MD5 (0x040080)
> Cipher Spec: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x000003)
> Cipher Spec: SSL2_RC4_128_EXPORT40_WITH_MD5 (0x020080)
>
>
> Do I need to do anything else to restrict the cipher list to RSA only?
>
>
> Regards,
> Gauri
>
> Hi,
>   Can you paste here the source code? I would like to see your
> implementation.
>
> Regards
>
>
> -----------------------------------------------------------------
> Дизайнерски обувки с до -70%. Регистрирай се и пазарувай.
> <http://a.abv.bg/www/delivery/ck.php?oaparams=2__bannerid=4884__zoneid=63__oadest=http://clk.tradedoubler.com/click?p=191500&a=1875689&g=19425934>
>

Reply via email to