I have used wireshark, and captured packets details says: Version : TLS 1.0(0x301), Client has sent hello with some 12 cipher suites.
Server returned Hello with same TLS 1.0, with TLS_RSA_WITH_AES_128_CBC_SHA(0x002f) Sorry, I could not copy packet details from wireshark, I could not see any option to copy as text. Thanks – Pradeep Reddy. From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Jay Foster Sent: Friday, October 24, 2014 11:13 PM To: openssl-users@openssl.org Subject: Re: openssl SSL3 vulnerability There seems to be a difference between the SSL (protocol) version and the Cipher version/description. You might try the following debug code to clarify. printf("SSL Version : %s\n", SSL_get_version(ssl)); const SSL_CIPHER *ciph = SSL_get_current_cipher(ssl); if (ciph) { printf("Cipher Version : %s\n", SSL_CIPHER_get_version(ciph)); printf("Cipher Name : %s\n", SSL_CIPHER_get_name(ciph)); } For example: SSL Version : TLSv1 Cipher Version : TLSv1/SSLv3 Cipher Name : AES256-SHA From the SSL_CIPHER_get_name(3) man page: SSL_CIPHER_get_version() returns string which indicates the SSL/TLS protocol version that first defined the cipher. This is currently SSLv2 or TLSv1/SSLv3. In some cases it should possibly return ``TLSv1.2'' but does not; use SSL_CIPHER_description() instead. Jay On 10/24/2014 10:16 AM, mclellan, dave wrote: The plot thickens, but our mails must be crossing. I do indeed see TLSV1.2 in that message, but if and only if a much more restrictive set of ciphers is specified. That's why I was questioning the appearance of SSLv3 in other cases, despite the case that I had set the options to disable SSLv3. +-+-+-+-+-+-+-+-+- Dave McLellan, Enterprise Storage Software Engineering, EMC Corporation, 176 South St. Mail Stop 176-V1 1/P-36, Hopkinton, MA 01749 Office: 508-249-1257, FAX: 508-497-8027, Mobile: 978-500-2546, dave.mclel...@emc.com<mailto:dave.mclel...@emc.com> +-+-+-+-+-+-+-+-+- -----Original Message----- From: owner-openssl-us...@openssl.org<mailto:owner-openssl-us...@openssl.org> [mailto:owner-openssl-us...@openssl.org] On Behalf Of Erik Forsberg Sent: Friday, October 24, 2014 12:46 PM To: openssl-users@openssl.org<mailto:openssl-users@openssl.org> Subject: Re: openssl SSL3 vulnerability That triggers my memory. I saw this too a long time ago, if I recall correctly, if you get a TLSv1.2 connection, its still logged as SSLv3 (there is lack of printable enums in the OpenSSL code. I looked at my negotiation with wireshark and saw that I got TLSv1.2 despite what the debug trace said. I hope this could be fixed one day ? -- Original Message -- On 24/10/2014 15:53, Pradeep Gudepu wrote: To my earlier code, I have added these extra flags for client: SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); And server also has these same flags set, so that no way client and server can communicate on sslv2, sslv3. But again in logs I see SSL3 is negotiated: [2014-10-24 18:00:17.063, Info < proxysrv:10684>] SSLConfig::Init: SSL initiated (OpenSSL 1.0.1j 15 Oct 2014 built on: Mon Oct 20 15:08:32 2014). [2014-10-24 18:02:11.640, Info < proxysrv:10684>] SSLSocket::Callback: Handshake done: AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 Does this really mean "SSLv3.0 protocol negotiated"? Or does it just mean "SSLv3.x" (which includes TLSv1.x)? Or perhaps "SSLv3 compatible cipher suite" (which also includes TLSv1.x)? On server, I have these ciphers set: ::SSL_CTX_set_cipher_list(ctx, "ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM"); Is there something wrong with these ciphers? What are best cipher argument for only TLSv1 communication. I think, I need not set ciphers on client side. Thanks – Pradeep reddy. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org<mailto:openssl-users@openssl.org> Automated List Manager majord...@openssl.org<mailto:majord...@openssl.org> :��I"Ϯ��r�m���� (���Z+�K‑�+����1���x ��h���[�z�(���Z+� ��f�y�����‑�f���h��)z{,�� ::DISCLAIMER:: ---------------------------------------------------------------------------------------------------------------------------------------------------- The contents of this e-mail and any attachment(s) are confidential and intended for the named recipient(s) only. E-mail transmission is not guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or may contain viruses in transmission. The e mail and its contents (with or without referred errors) shall therefore not attach any liability on the originator or HCL or its affiliates. Views or opinions, if any, presented in this email are solely those of the author and may not necessarily reflect the views or opinions of HCL or its affiliates. Any form of reproduction, dissemination, copying, disclosure, modification, distribution and / or publication of this message without the prior written consent of authorized representative of HCL is strictly prohibited. If you have received this email in error please delete it and notify the sender immediately. Before opening any email and/or attachments, please check them for viruses and other defects. ----------------------------------------------------------------------------------------------------------------------------------------------------
