Re: openssl-fips configure parameters to force IANA cipher suite compliance

On 02/07/2019 22:13, Larry Jordan via openssl-users wrote: I want to build an openssl-fips canister to force IANA cipher suite compliance. With the help of an openssl-iana mapping (https://testssl.sh/openssl-iana.mapping.html) I can identify the corresponding OpenSSL cipher suites. Not

openssl-fips configure parameters to force IANA cipher suite compliance

I want to build an openssl-fips canister to force IANA cipher suite compliance. With the help of an openssl-iana mapping (https://testssl.sh/openssl-iana.mapping.html) I can identify the corresponding OpenSSL cipher suites. IANA

Re: [openssl-users] is there an API to list all the TLS 1.3 cipher suite names?

On 1/17/2019 5:33 PM, Jordan Brown wrote: > Am I missing something? Seems I was.  Thanks, all. -- Jordan Brown, Oracle ZFS Storage Appliance, Oracle Solaris -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] is there an API to list all the TLS 1.3 cipher suite names?

On Thu, Jan 17, 2019 at 5:40 PM Jordan Brown wrote: > On 1/14/2019 4:09 AM, Matt Caswell wrote: > > This works more "by accident". There is no ciphersuite alias called > "TLSv1.3", so using it as above results in no ciphersuites matched. Since the > TLSv1.3 ciphersuites are on by default anyway

Re: [openssl-users] is there an API to list all the TLS 1.3 cipher suite names?

On Friday, 18 January 2019 02:33:20 CET Jordan Brown wrote: > On 1/14/2019 4:09 AM, Matt Caswell wrote: > > This works more "by accident". There is no ciphersuite alias called > > "TLSv1.3", so using it as above results in no ciphersuites matched. > > Since the TLSv1.3 ciphersuites are on by defaul

Re: [openssl-users] is there an API to list all the TLS 1.3 cipher suite names?

On Fri, Jan 18, 2019 at 01:33:20AM +, Jordan Brown wrote: > On 1/14/2019 4:09 AM, Matt Caswell wrote: > > This works more "by accident". There is no ciphersuite alias called > > "TLSv1.3", so using it as above results in no ciphersuites matched. > > Since the TLSv1.3 ciphersuites are on by defa

Re: [openssl-users] is there an API to list all the TLS 1.3 cipher suite names?

Hi, V Fri, 18 Jan 2019 01:33:20 + "Jordan Brown" napsáno: > On 1/14/2019 4:09 AM, Matt Caswell wrote: > > This works more "by accident". There is no ciphersuite alias called > > "TLSv1.3", so using it as above results in no ciphersuites matched. > > Since the TLSv1.3 ciphersuites are on by d

Re: [openssl-users] is there an API to list all the TLS 1.3 cipher suite names?

On 1/14/2019 4:09 AM, Matt Caswell wrote: > This works more "by accident". There is no ciphersuite alias called > "TLSv1.3", so using it as above results in no ciphersuites matched. > Since the TLSv1.3 ciphersuites are on by default anyway that's all > that you get back. >From what you say, and b

Re: [openssl-users] is there an API to list all the TLS 1.3 cipher suite names?

On Mon, Jan 14, 2019 at 03:31:36PM -0500, Viktor Dukhovni wrote: > > to not depend on this "accident", right? > > The correct form would be: > > $ /usr/local/bin/openssl ciphers -s tls1_3 | tr ':' '\n' > TLS_AES_256_GCM_SHA384 > TLS_CHACHA20_POLY1305_SHA256 > TLS_AES_128_GCM_SHA2

Re: [openssl-users] is there an API to list all the TLS 1.3 cipher suite names?

On Mon, Jan 14, 2019 at 02:18:18PM +0100, Yann Ylavic wrote: > I suppose one can always, e.g.: > > $ openssl ciphers -v |grep TLSv1.3 |awk '{print $1}' # or whatever filtering > > to not depend on this "accident", right? The correct form would be: $ /usr/local/bin/openssl ciphers -s tls1_3

Re: [openssl-users] is there an API to list all the TLS 1.3 cipher suite names?

On Mon, Jan 14, 2019 at 5:18 AM Yann Ylavic wrote: > I suppose one can always, e.g.: > > $ openssl ciphers -v |grep TLSv1.3 |awk '{print $1}' # or whatever filtering > > to not depend on this "accident", right? No, `ciphers` gives you the TLS cipher suites that are enabled, it doesn't give all.

Re: [openssl-users] is there an API to list all the TLS 1.3 cipher suite names?

On Mon, Jan 14, 2019 at 1:09 PM Matt Caswell wrote: > > This works more "by accident". There is no ciphersuite alias called "TLSv1.3", > so using it as above results in no ciphersuites matched. Since the TLSv1.3 > ciphersuites are on by default anyway that's all that you get back. OK, thanks for

Re: [openssl-users] is there an API to list all the TLS 1.3 cipher suite names?

On 13/01/2019 21:11, Yann Ylavic wrote: > On Tue, Jan 8, 2019 at 11:24 PM Sam Roberts wrote: >> >> node.js has an API that lists all the cipher suite names that can be >> validly passed to set_cipher_list(), but I don't see how to get them >> for TL

Re: [openssl-users] is there an API to list all the TLS 1.3 cipher suite names?

On Tue, Jan 8, 2019 at 11:24 PM Sam Roberts wrote: > > node.js has an API that lists all the cipher suite names that can be > validly passed to set_cipher_list(), but I don't see how to get them > for TLS1.3 to list the valid inputs to set_cipher_suites(). FWIW, the b

Re: [openssl-users] is there an API to list all the TLS 1.3 cipher suite names?

On Wed 2019-01-09 04:16:05 +, Jordan Brown wrote: > On 1/8/2019 7:44 PM, Viktor Dukhovni wrote: >> You could just provide a free-form emergency string parameter that >> users are advised to not change unless some major advance makes it >> necessary. At that time, advice can be published as to w

Re: [openssl-users] is there an API to list all the TLS 1.3 cipher suite names?

On 1/8/2019 8:21 PM, Viktor Dukhovni wrote: > How do you plan to offer a built-in menu of algorithms that have not > yet been added to OpenSSL? I'm a bit confused as to why we would need to - if the underlying OpenSSL doesn't support a particular algorithm, then there's no need to disable it. Th

Re: [openssl-users] is there an API to list all the TLS 1.3 cipher suite names?

On 1/8/2019 7:44 PM, Viktor Dukhovni wrote: > So what you get is AESGCM with SHA2 or CHACHA20 with Poly1305. > Breaks in either would be dramatic advances in cryptanalysis. History shows that protocols, algorithms, and implementations all have flaws.  We assume that flaws will be discovered and de

Re: [openssl-users] is there an API to list all the TLS 1.3 cipher suite names?

On Wed, Jan 09, 2019 at 04:16:05AM +, Jordan Brown wrote: > > You could just provide a free-form emergency string parameter that > > users are advised to not change unless some major advance makes it > > necessary. At that time, advice can be published as to what the > > override setting shoul

Re: [openssl-users] is there an API to list all the TLS 1.3 cipher suite names?

On Tue, Jan 8, 2019 at 7:10 PM Viktor Dukhovni wrote: > On Tue, Jan 08, 2019 at 02:23:27PM -0800, Sam Roberts wrote: > > node.js has an API that lists all the cipher suite names that can be > > validly passed to set_cipher_list(), but I don't see how to get them > > fo

Re: [openssl-users] is there an API to list all the TLS 1.3 cipher suite names?

On Wed, Jan 09, 2019 at 03:27:44AM +, Jordan Brown wrote: > > Is there a good reason to want to change or freeze them at this time? > > Our products allow the user to enable and disable individual ciphers, to > allow for both customer policy (e.g. a customer-specific approved-cipher > list) a

Re: [openssl-users] is there an API to list all the TLS 1.3 cipher suite names?

On 1/8/2019 7:10 PM, Viktor Dukhovni wrote: > The intent is that you SHOULD NOT generally customize the list. All > the ciphers in question are quite safe, and if the default changes, > you should probably go with that, rather than a frozen time-capsule > version. > > Is there a good reason to want

Re: [openssl-users] is there an API to list all the TLS 1.3 cipher suite names?

I would expect that smartphone clients might want to prioritize CHACHA over AES, but I don't think Node cares about that environment. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] is there an API to list all the TLS 1.3 cipher suite names?

On Tue, Jan 08, 2019 at 02:23:27PM -0800, Sam Roberts wrote: > node.js has an API that lists all the cipher suite names that can be > validly passed to set_cipher_list(), but I don't see how to get them > for TLS1.3 to list the valid inputs to set_cipher_suites(). The intent is t

[openssl-users] is there an API to list all the TLS 1.3 cipher suite names?

node.js has an API that lists all the cipher suite names that can be validly passed to set_cipher_list(), but I don't see how to get them for TLS1.3 to list the valid inputs to set_cipher_suites(). The openssl ciphers CLI doesn't seem able to do this either. https://www.openssl.org/doc

Re: [openssl-users] Integrating New Cipher Suite

ect or body 'help' to openssl-users-requ...@openssl.org You can reach the person managing the list at openssl-users-ow...@openssl.org When replying, please edit your Subject line so it is more specific than "Re: Contents of openssl-users digest..." Today's Topics: 1. Re: I

Re: [openssl-users] Integrating New Cipher Suite

On 02/10/2017 00:47, Dr. Stephen Henson wrote: On Sun, Oct 01, 2017, Wallboy wrote: Hi, ... Bonus Question: Is it possible to remove the SCSV cipher in the ClientHello? You can't remove it without making source changes. Again it's in the ssl_cipher_list_to_bytes() function. Have you tried

Re: [openssl-users] Integrating New Cipher Suite

On Sun, Oct 01, 2017, Wallboy wrote: > Hi, > > I'm also interested in adding a few "pseudo" ciphersuites to OpenSSL. > Notably the 16 GREASE ones Chrome currently uses (0x0A0A, 0x1A1A...0xFAFA). > > I made similar changes to the files listed in this thread and compiled > successfully (based on 1

Re: [openssl-users] Integrating New Cipher Suite

Hi, I'm also interested in adding a few "pseudo" ciphersuites to OpenSSL. Notably the 16 GREASE ones Chrome currently uses (0x0A0A, 0x1A1A...0xFAFA). I made similar changes to the files listed in this thread and compiled successfully (based on 1.1.0f). I see the new cipher when doing "openssl cip

Re: [openssl-users] Integrating New Cipher Suite

On Fri, Apr 14, 2017, Schmicker, Robert wrote: > > > After some debugging (exactly as mentioned above) it appears that the cipher > suite does not show up in the ClientHello using the s_client/s_server. I > modified the cipher for testing to use 512 bits instead of 64 so that

Re: [openssl-users] Integrating New Cipher Suite

th enable-ssl-trace and then try >the -trace command ot s_client/s_server and see if the new ciphersuites is >sent in ClientHello > >Steve. >-- >Dr Stephen N. Henson. OpenSSL project core developer. >Commercial tech support now available see: http://www.openssl.org After some

Re: [openssl-users] Integrating New Cipher Suite

On Tue, Apr 11, 2017, Schmicker, Robert wrote: > Added a define in include/openssl/ssl.h: ># define SSL_TXT_MYCIPHER "MYCIPHER" > > Integrated into ssl/s3_lib.c: >static SSL_CIPHER ssl3_ciphers[] = { > >{ > 1, > TLS1_TXT_ECDHE_ECDSA_WITH_MYCIPHER_SHA384, > TLS1_CK_E

Re: [openssl-users] Integrating New Cipher Suite

Thank you for the quick replies! @Matt Caswell I have attempted to integrate the cipher suite into the source code and here is what I have done so far… Please keep in mind this was a previous attempt that mimicked a different cipher suite. Added defines in include/openssl/tls1.h: # define

Re: [openssl-users] Integrating New Cipher Suite

On Sat, Apr 08, 2017, Schmicker, Robert wrote: > Hello, > > I'm attempting to integrate a customized cipher suite for TLS 1.2, > however no matter what I try I always seem to end up with this error > (client side): > > SSL routines:ssl_cipher_list_to_bytes:no ciph

Re: [openssl-users] Integrating New Cipher Suite

On 08/04/17 18:56, Schmicker, Robert wrote: > Hello, > > I'm attempting to integrate a customized cipher suite for TLS 1.2, > however no matter what I try I always seem to end up with this error > (client side): > > SSL routines:ssl_cipher_list_to_bytes:no ciph

[openssl-users] Integrating New Cipher Suite

Hello, I'm attempting to integrate a customized cipher suite for TLS 1.2, however no matter what I try I always seem to end up with this error (client side): SSL routines:ssl_cipher_list_to_bytes:no ciphers available:ssl/statem/statem_clnt.c:3567 Can anyone give some further explanation on

Re: [openssl-users] Is there a way to get the numeric-value for a openssl-cipher-suite

Does the -V flag not do what you want? -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Is there a way to get the numeric-value for a openssl-cipher-suite

On 14/12/16 08:09, Ajay Garg wrote: > Hi All. > > I am using the following script at myu laptop, to test for the available > cipher-suites : > > > #!/usr/bin/env bash > > # OpenSSL requires the port number. > SERVER=server.ip.com:12345

[openssl-users] Is there a way to get the numeric-value for a openssl-cipher-suite

Hi All. I am using the following script at myu laptop, to test for the available cipher-suites : #!/usr/bin/env bash # OpenSSL requires the port number. SERVER=server.ip.com:12345 DELAY=1 ciphers=$(openssl ciphers 'ALL:eNULL' | sed -e 's/:/ /g

Re: [openssl-users] cipher suite list

Thanks Michael. From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Michael Wojcik Sent: September-28-16 2:58 PM To: openssl-users@openssl.org Subject: [Newsletter] Re: [openssl-users] cipher suite list Ivan Ristic's free OpenSSL Cookbook has a long section on c

Re: [openssl-users] cipher suite list

> As for the silly disclaimer I have no control over adding it or not. My > company must append it to the email when it sends it. ? Please tell the folks at your company it is annoying. And consider posting from a non-company address, then. -- openssl-users mailing list To unsubscribe: http

Re: [openssl-users] cipher suite list

@openssl.org Subject: [Newsletter] Re: [openssl-users] cipher suite list Some places to look include: https://wiki.mozilla.org/Security/Server_Side_TLS https://bettercrypto.org/static/applied-crypto-hardening.pdf ssllabs.com observatory.mozilla.org And

Re: [openssl-users] cipher suite list

Ivan Ristic's free OpenSSL Cookbook has a long section on cipher suite selection. It's available on feistyduck<https://www.feistyduck.com/books/openssl-cookbook/>. Michael Wojcik Distinguished Engineer, Micro Focus From: openssl-users [mailto:openssl-users-boun...@openssl.o

Re: [openssl-users] cipher suite list

Some places to look include: https://wiki.mozilla.org/Security/Server_Side_TLS https://bettercrypto.org/static/applied-crypto-hardening.pdf ssllabs.com observatory.mozilla.org And, by the way, the silly huge email disclaimer is obnoxious. -- Senior A

[openssl-users] cipher suite list

Hi, being somewhat of a newb to the security I thought I would ask the security community about the current best practices/guidelines for configuring the list of cipher suites that I should use in my client app. It seems like some cipher suites fall out of favour over time and I would like to us

Re: [openssl-users] Disable a cipher suite in openssl.cnf?

> On Sep 24, 2016, at 7:16 PM, Salz, Rich wrote: > >> >> Mr. Neugroschl's quest for a simple solution does bring up -- in my >> user-oriented opinion -- a very good follow-on question: "Why cannot a >> config file be utilized by openssl to simply give access based on an >> allow/deny mechani

Re: [openssl-users] Disable a cipher suite in openssl.cnf?

> Mr. Neugroschl's quest for a simple solution does bring up -- in my > user-oriented opinion -- a very good follow-on question: "Why cannot a config > file be utilized by openssl to simply give access based on an allow/deny > mechanism that would give users system-wide control in a single plac

Re: [openssl-users] Disable a cipher suite in openssl.cnf?

13, Scott Neugroschl <mailto:scot...@xypro.com>> wrote: Hi, I’m afraid the man page on the conf file is not particularly clear. I’m looking at mitigating CVE-2016-2183 (SWEET32), and am not sure how to disable the DES and 3DES suites in the conf file. Can someon

Re: [openssl-users] Disable a cipher suite in openssl.cnf?

> Can someone give me a hand? > > > ​You can't disable them in the openssl config file, you should do it in the cipher suite configuration of the affected application. Cheers Rich. ​ -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Disable a cipher suite in openssl.cnf?

Hi, I'm afraid the man page on the conf file is not particularly clear. I'm looking at mitigating CVE-2016-2183 (SWEET32), and am not sure how to disable the DES and 3DES suites in the conf file. Can someone give me a hand? --- Scott Neugroschl | XYPRO Technology Corporation 4100 Guardian St

Re: [openssl-users] DTLS cipher suite support

On 03/09/15 07:22, Bryce Kahle wrote: > I would like to use openssl as a basic DTLS server from the command line > using: openssl s_server -dtls1_2 > > The catch is I want to require the TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 > cipher suite. It appears OpenSSL currently doesn’t supp

[openssl-users] DTLS cipher suite support

I would like to use openssl as a basic DTLS server from the command line using: openssl s_server -dtls1_2 The catch is I want to require the TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 cipher suite. It appears OpenSSL currently doesn’t support this cipher suite, even though it supports the both

Re: [openssl-users] TLS_PSK_WITH_AES_128_CCM_8 Cipher Suite Support?

On Wed, Aug 05, 2015, Colin Foe-Parker wrote: > Good Morning, > > I am trying to set up a TLS connection between an embedded processor and > remote server using the TLS_PSK_WITH_AES_128_CCM_8 cipher suite. This > cipher suite is supported on the device side and I can find aes

[openssl-users] TLS_PSK_WITH_AES_128_CCM_8 Cipher Suite Support?

Good Morning, I am trying to set up a TLS connection between an embedded processor and remote server using the TLS_PSK_WITH_AES_128_CCM_8 cipher suite. This cipher suite is supported on the device side and I can find aes-128-ccm as a possibility on the fresh git clone of openssl. (using

Re: [openssl-users] incorrect name of cipher suite

Thank you, its very clearly 2015年5月19日 下午8:13於 "Matt Caswell" 寫道： > > > On 19/05/15 12:54, Weichen Lin wrote: > > according https://www.openssl.org/docs/apps/ciphers.html > > the name of TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA is DHE-DSS-DES-CBC3-SHA > > but I found it's not working, and finally success

Re: [openssl-users] incorrect name of cipher suite

On 19/05/15 12:54, Weichen Lin wrote: > according https://www.openssl.org/docs/apps/ciphers.html > the name of TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA is DHE-DSS-DES-CBC3-SHA > but I found it's not working, and finally success with EDH-DSS-DES-CBC3-SHA > > I think it's typo on document, where can I re

[openssl-users] incorrect name of cipher suite

according https://www.openssl.org/docs/apps/ciphers.html the name of TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA is DHE-DSS-DES-CBC3-SHA but I found it's not working, and finally success with EDH-DSS-DES-CBC3-SHA I think it's typo on document, where can I report this? ___

RE: Value of DEFAULT cipher suite

> You really should look at the extensive research done by SSL Labsbefore > blindly deprecating stuff. Sorry you think I'm doing that. I'm raising an issue six months before it will affect people. -- Principal Security Engineer, Akamai Technologies IM: rs...@jabber.me Twitter: RichSalz __

Re: Value of DEFAULT cipher suite

On 09/09/2014 19:20, Salz, Rich wrote: In addition to removing the very-weak (less than 70 bits security) ciphers from the default list,this would be a good opportunity to reorder the default I'd prefer to wait until TLS 1.3 is implemented, which has some definite (and rather strong :) feelings

Re: Value of DEFAULT cipher suite

On Tue, Sep 09, 2014 at 07:04:36PM +0200, Jakob Bohm wrote: > In addition to removing the very-weak (less than 70 bits security) > ciphers from the default list,this would be a good opportunity to > reorder the default list (either via the define, or bettervia whatever > internal priorities guide

RE: Value of DEFAULT cipher suite

> In addition to removing the very-weak (less than 70 bits security) ciphers > from the default list,this would be a good opportunity to reorder the default I'd prefer to wait until TLS 1.3 is implemented, which has some definite (and rather strong :) feelings on the subject. Doing things like p

Re: Value of DEFAULT cipher suite

On 09/09/2014 00:42, Salz, Rich wrote: We are considering removing weak cryptography from the value of DEFAULT. That is, append ":!LOW:!EXPORT" It is currently defined as this in include/openssl/ssl.h: #define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:!SSLv2" Please let us know

RE: Value of DEFAULT cipher suite

> Folks who want strong BCP crypto, can disable MEDIUM. Folks who want weak non-BCP crypto can enable LOW. I'm putting this on hold to see where we are 6-9 months from now. -- Principal Security Engineer Akamai Technologies, Cambridge MA IM: rs...@jabber.me Twitter: RichSalz __

Re: Value of DEFAULT cipher suite

On Tue, Sep 09, 2014 at 06:29:51PM +0200, Jeroen de Neef wrote: > I can see RC4 going in the list of low security ciphers within a couple of > years anyways, so we can better discourage the usage right now. Note that RC4 is essentially the only widely used MEDIUM cipher, and is by default last on

Re: Value of DEFAULT cipher suite

ode below the application layer is I think unwise. We could introduce a new cipher suite class name "BCP", to complement "DEFAULT". The latter is broadly interoperable with sensible ordering but inclusive cipher choices, the former would be more restrictive, offering only the BCP

Re: Value of DEFAULT cipher suite

I can see RC4 going in the list of low security ciphers within a couple of years anyways, so we can better discourage the usage right now. 2014-09-09 18:14 GMT+02:00 Salz, Rich : > We disagree. I've got two IETF WG's coming to the same conclusion so > making post-1.0.2 follow IETF practices seem

RE: Value of DEFAULT cipher suite

Yes, I'm jumping the gun claiming that the I-D are standards. They're not. They're just drafts. I'm willing to wait and see what happens for a few months. __ OpenSSL Project http://www.openssl.org

RE: Value of DEFAULT cipher suite

> From: owner-openssl-us...@openssl.org [mailto:owner-openssl- > us...@openssl.org] On Behalf Of Salz, Rich > Sent: Tuesday, 09 September, 2014 11:35 > To: openssl-users@openssl.org > Subject: RE: Value of DEFAULT cipher suite > > > Far more productive than disabling RC4 w

Re: Value of DEFAULT cipher suite

On Tue, Sep 09, 2014 at 11:34:43AM -0400, Salz, Rich wrote: > > Far more productive than disabling RC4 would be ensuring that it is not the > > preferred cipher suite when better options are enabled. > > I am not disabling RC4. I am saying that applications that want > to u

RE: Value of DEFAULT cipher suite

We disagree. I've got two IETF WG's coming to the same conclusion so making post-1.0.2 follow IETF practices seems pretty inarguable. > The IETF is sadly also prone to knee-jerk reactions. True. Some would put perpass in that category. -- Principal Security Engineer Akamai Technologies, Camb

RE: Value of DEFAULT cipher suite

> Far more productive than disabling RC4 would be ensuring that it is not the > preferred cipher suite when better options are enabled. I am not disabling RC4. I am saying that applications that want to use it will, after the post-1.0.2 release is adopted, need to take pro-active

RE: Value of DEFAULT cipher suite

> For what it's worth, I'm with Victor on this. RC4 as cipher of last resort in > the > default set is better than not having it there at all. Take it up with the IETF which has two working groups advocating against it. UTA (use of TLS in applications) and the TLS group itself: https://tools.i

Re: Value of DEFAULT cipher suite

bling RC4 would be ensuring that it is not the preferred cipher suite when better options are enabled. To improve security, raise the ceiling. ChaCha, new EC curves, extensions to negotiate DH parameters, ... Raising the floor can d

RE: Value of DEFAULT cipher suite

> From: owner-openssl-us...@openssl.org [mailto:owner-openssl- > us...@openssl.org] On Behalf Of Viktor Dukhovni > Sent: Tuesday, 09 September, 2014 09:01 > To: openssl-users@openssl.org > Subject: Re: Value of DEFAULT cipher suite > > On Tue, Sep 09, 2014 at 08:42:36AM -0

RE: Value of DEFAULT cipher suite

> Master has "security levels", which still need some work, but are a less crude > mechanism for such tweaks. Disabling RC4 at security level 2 or some such, is > better than incompatibly reclassifying it as "LOW". We can discuss the > details > later. That should probably also be done. But th

Re: Value of DEFAULT cipher suite

On Tue, Sep 09, 2014 at 08:42:36AM -0400, Salz, Rich wrote: > > Moving RC4 to "LOW" is also premature. It is already at the bottom of the > > medium cipherlist, that should be enough. > > I am planning on doing it for master, not 1.0.2 That means it > won't be in an official release until... wh

RE: Value of DEFAULT cipher suite

> Moving RC4 to "LOW" is also premature. It is already at the bottom of the > medium cipherlist, that should be enough. I am planning on doing it for master, not 1.0.2 That means it won't be in an official release until... what, at least six months. ___

Re: Value of DEFAULT cipher suite

On Tue, Sep 09, 2014 at 08:13:40AM -0400, Salz, Rich wrote: > > Please consider also adding !SSLv3 and !RC4 to this list. > > My plan is to move RC4 and MD5 to LOW; see RT3518. Moving RC4 to "LOW" is also premature. It is already at the bottom of the medium cipherlist, that should be enough. O

Re: Value of DEFAULT cipher suite

On Tue, Sep 09, 2014 at 11:02:45AM +0200, Benny Baumann wrote: > Please consider also adding !SSLv3 and !RC4 to this list. No. That would be unwise at this time. -- Viktor. __ OpenSSL Project

RE: Value of DEFAULT cipher suite

> Please consider also adding !SSLv3 and !RC4 to this list. My plan is to move RC4 and MD5 to LOW; see RT3518. As for SSLv3, the issue is that you really mean the protocol, not the ciphers (there's overlap with SSL and TLS), which is configured separately, and only via code. So I think I have

Re: Value of DEFAULT cipher suite

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi Rich, Am 09.09.2014 00:42, schrieb Salz, Rich: > We are considering removing weak cryptography from the value of > DEFAULT. That is, append ":!LOW:!EXPORT" > > It is currently defined as this in include/openssl/ssl.h: #define > SSL_DEFAULT_CI

Value of DEFAULT cipher suite

We are considering removing weak cryptography from the value of DEFAULT. That is, append ":!LOW:!EXPORT" It is currently defined as this in include/openssl/ssl.h: #define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:!SSLv2" Please let us know if you have strong objections to this. -

RE: What is the algorithm of choice cipher suite for connection by Server?

> From: owner-openssl-users On Behalf Of Vladimir Belov > Sent: Monday, December 23, 2013 23:13 > And just one question. Is there any possibility to set different > cipher suits for different versions of TLS? > Certainly not released. > For example, I want to exclude RC4 cipher suits wholly for

Re: What is the algorithm of choice cipher suite for connection by Server?

Thank you very much, Dave, for the answer and detailed explanation. And just one question. Is there any possibility to set different cipher suits for different versions of TLS? For example, I want to exclude RC4 cipher suits wholly for TLS 1.2/1.1 and leave them only for <=TLS 1.0 The reason is t

RE: What is the algorithm of choice cipher suite for connection by Server?

he algorithm of choice cipher suite for connection by Server? Hi, On Server we have an ordered list of cipher suits. Server gets a cipher suits of client in ClientHello. What is the algorithm of choice cipher suite for connection by Server from client's list? Is it simple so: server loo

Re: What is the algorithm of choice cipher suite for connection by Server?

2013/12/23 Sri Ramya > > hi, > please go through the below link.. > http://www.openssl.org/docs/apps/ciphers.html There is no answer to the question "What is the algorithm of choice cipher suite for connection by Server?" About "Сipher suits for different TLS vers

Re: What is the algorithm of choice cipher suite for connection by Server?

ce cipher > suite for connection by Server from client's list? > Is it simple so: server looks at its ciphers list from top to bottom and > the first corresponding cipher suite that will be in ClientHello's cipher > list will be chosen for connection. Or something else? >

What is the algorithm of choice cipher suite for connection by Server?

Hi, On Server we have an ordered list of cipher suits. Server gets a cipher suits of client in ClientHello. What is the algorithm of choice cipher suite for connection by Server from client's list? Is it simple so: server looks at its ciphers list from top to bottom and the first correspo

Re: Problem with cipher suite ECDHE-ECDSA-AES256-SHA384

) . Which files(s) need to > be addresses? > > > > -- > View this message in context: > http://openssl.6102.n7.nabble.com/Problem-with-cipher-suite-ECDHE-ECDSA-AES256-SHA384-tp42229p45461.html > Sent from the OpenSSL

Re: Problem with cipher suite ECDHE-ECDSA-AES256-SHA384

Hi, Could you help where do i need to change the method from TLSv1_2_server_method() to SSLv23_server_method() . Which files(s) need to be addresses? -- View this message in context: http://openssl.6102.n7.nabble.com/Problem-with-cipher-suite-ECDHE-ECDSA-AES256-SHA384-tp42229p45461.html Sent

Re: Problem with cipher suite ECDHE-ECDSA-AES256-SHA384

Just discovered the culprit. I had configured the server using TLSv1_server_method(), going from <http://www.openssl.org/docs/ssl/SSL_CTX_new.html> and assuming TLSv1 encompasses v1.{1,2}. Stumbled on this by chance by experimenting with forcing TLSv1.2 (of which the desired cipher suite is

Re: Problem with cipher suite ECDHE-ECDSA-AES256-SHA384

On Fri, Nov 09, 2012, Karel Sedl??ek wrote: > I was using secp521r1, but secp384r1 has the same behavior. Here is > the output with -state: > > SSL_connect:error in SSLv2/v3 read server hello A > 140735101956572:error:14077410:SSL > routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake > failure:

Re: Problem with cipher suite ECDHE-ECDSA-AES256-SHA384

I was using secp521r1, but secp384r1 has the same behavior. Here is the output with -state: CONNECTED(0003) SSL_connect:before/connect initialization write to 0x7fe008426dd0 [0x7fe008810800] (165 bytes => 165 (0xA5)) - 16 03 01 00 a0 01 00 00-9c 03 03 50 9d 3f 85 bf ...P.?.. 001

Re: Problem with cipher suite ECDHE-ECDSA-AES256-SHA384

On Fri, Nov 09, 2012, Karel Sedl??ek wrote: > I have; following is the relevant snippet: > > int nid = OBJ_sn2nid(ECDHE_CURVE); > if (NID_undef == nid) > goto err_obj_sn2nid; > > EC_KEY *ecdh = EC_KEY_new_by_curve_name(nid); > if (NULL == ecdh) > goto err_ec_key_new; > > SSL_C

Re: Problem with cipher suite ECDHE-ECDSA-AES256-SHA384

I have; following is the relevant snippet: int nid = OBJ_sn2nid(ECDHE_CURVE); if (NID_undef == nid) goto err_obj_sn2nid; EC_KEY *ecdh = EC_KEY_new_by_curve_name(nid); if (NULL == ecdh) goto err_ec_key_new; SSL_CTX_set_tmp_ecdh(tls_ctx, ecdh); On Fri, Nov 9, 2012 at 5:32 PM, Dr

Re: Problem with cipher suite ECDHE-ECDSA-AES256-SHA384

On Fri, Nov 09, 2012, Karel Sedl??ek wrote: > This problem is related to an issue I have been experiencing with a > piece of bespoke software I am writing that uses OpenSSL to terminate > SSL/TLS connections, using non-blocking I/O. > > Observations: > - My server's TLS handshake for cipher ECDHE

Problem with cipher suite ECDHE-ECDSA-AES256-SHA384

This problem is related to an issue I have been experiencing with a piece of bespoke software I am writing that uses OpenSSL to terminate SSL/TLS connections, using non-blocking I/O. Observations: - My server's TLS handshake for cipher ECDHE-ECDSA-AES256-GCM-SHA384 fails. - If I use ALL for my ser

RE: Making AES-CCM available as a TLS-negotiated cipher suite

2012 7:12 PM To: openssl-users@openssl.org Subject: Re: Making AES-CCM available as a TLS-negotiated cipher suite Hi Paul, On Wed, Apr 18, 2012 at 2:01 PM, Muschick, Paul wrote: > So, it’s ironic that only after I post to the mailing list, I solve my > first problem. For visitors from the

Re: Making AES-CCM available as a TLS-negotiated cipher suite

Hi Paul, On Wed, Apr 18, 2012 at 2:01 PM, Muschick, Paul wrote: > So, it’s ironic that only after I post to the mailing list, I solve my first > problem. For visitors from the future, to fully add a new cipher suite, you > can’t forget to add your cipher’s EVP_CIPHER* accessor

Re: Making AES-CCM available as a TLS-negotiated cipher suite

On Wed, Apr 18, 2012, Muschick, Paul wrote: > So, it's ironic that only after I post to the mailing list, I solve my first > problem. For visitors from the future, to fully add a new cipher suite, you > can't forget to add your cipher's EVP_CIPHER* accessor funct

RE: Making AES-CCM available as a TLS-negotiated cipher suite

So, it's ironic that only after I post to the mailing list, I solve my first problem. For visitors from the future, to fully add a new cipher suite, you can't forget to add your cipher's EVP_CIPHER* accessor function (generated by the BLOCK_CIPHER_custom macro) to SSL_li

  1   2   >