Hi,
I have shared the below mentioned Cipher suite as part of strong Cipher
Suites to be enabled on the server. The security auditor comments saying
ECs (elliptic curves) are not listed. I am not sure what it means. Please
guide with examples.
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Hi,
I am using Lets Encrypt SSL Certificates for Nginx 1.20.00 webserver
running on CentOS Linux release 7.9.2009 (Core). I will appreciate it if
someone can guide me to set the cipher suites in the Nginx Webserver
config. I am referring to https://ssl-config.mozilla.org/. Is there a way
to
Hi,
We are using the Nginx Web server on CentOS Linux release 7.7.1908 (Core).
*OpenSSL Version*
#openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017
#
*Nginx Version*
#rpm -qa | grep nginx
nginx-1.16.1-1.el7.x86_64
#
Can someone please suggest me to use strong cipher suites for SSL/TLS
On Fri, Oct 25, 2019 at 8:50 PM Matt Caswell wrote:
>
>
> On 25/10/2019 09:39, Viktor Dukhovni wrote:
> > On Fri, Oct 25, 2019 at 03:33:43PM +0800, John Jiang wrote:
> >
> >> I'm using OpenSSL 1.1.1d.
> >> Just want to confirm if DHE_DSS cipher s
On 25/10/2019 09:39, Viktor Dukhovni wrote:
> On Fri, Oct 25, 2019 at 03:33:43PM +0800, John Jiang wrote:
>
>> I'm using OpenSSL 1.1.1d.
>> Just want to confirm if DHE_DSS cipher suites are not supported by this
>> version.
>
> They are supported, but:
>
On Fri, Oct 25, 2019 at 03:33:43PM +0800, John Jiang wrote:
> I'm using OpenSSL 1.1.1d.
> Just want to confirm if DHE_DSS cipher suites are not supported by this
> version.
They are supported, but:
* DSS ciphersuites are disabled by DEFAULT. You need to
specify an exp
Hi,
I'm using OpenSSL 1.1.1d.
Just want to confirm if DHE_DSS cipher suites are not supported by this
version.
Please consider the below simple case,
1. s_server uses a DSA certifcate
2. force s_client to use TLS 1.2 and TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
(DHE-DSS-AES256-GCM-SHA384
* However if I try ECDHE, it works fine. Is DHE only cipher suites less
common now ?
* I believe its responsibility of server to generate DHparam of large
enough size.
Yes, DHE has dropped because it is hard to get right, and it takes more CPU
cycles than ECDHE.
Hi,
Why google rejected DH ciphers suites, I am trying
*openssl s_client -cipher 'DHE-RSA-AES128-GCM-SHA256' -connect
www.google.com:443 <http://www.google.com:443>*
However if I try ECDHE, it works fine. Is DHE only cipher suites less
common now ?
I believe its responsibil
n 2019, at 11:41 am, John Jiang > <mailto:john.sha.ji...@gmail.com>> wrote:
>>
>> Hi,
>> I'm using s_server and s_client from OpenSSL 1.1.1.
>> It looks the weak cipher suites, like SSL_RSA_WITH_RC4_128_MD5, are
>> disabled.
>> Is there any way to re-enable these cipher suites?
>>
>> Thanks!
>
:
>
> Hi,
> I'm using s_server and s_client from OpenSSL 1.1.1.
> It looks the weak cipher suites, like SSL_RSA_WITH_RC4_128_MD5, are
> disabled.
> Is there any way to re-enable these cipher suites?
>
> Thanks!
>
>
>
On 6/25/19 9:41 PM, John Jiang wrote:
Hi,
I'm using s_server and s_client from OpenSSL 1.1.1.
It looks the weak cipher suites, like SSL_RSA_WITH_RC4_128_MD5, are
disabled.
Is there any way to re-enable these cipher suites?
Fairly certain that is a configuration option however I hav
Jiang wrote:
>
> Hi,
> I'm using s_server and s_client from OpenSSL 1.1.1.
> It looks the weak cipher suites, like SSL_RSA_WITH_RC4_128_MD5, are disabled.
> Is there any way to re-enable these cipher suites?
>
> Thanks!
Hi,
I'm using s_server and s_client from OpenSSL 1.1.1.
It looks the weak cipher suites, like SSL_RSA_WITH_RC4_128_MD5, are
disabled.
Is there any way to re-enable these cipher suites?
Thanks!
You don't have to call either. Both have sensible defaults.
Especially, with TLS 1.3, there is generally little reason
to choose non-default ciphers.
> On Oct 26, 2018, at 6:12 PM, Skip Carter wrote:
>
> If my application will support both TLSv1.2 and TLSv1.3 connections to
> it (depending who
If my application will support both TLSv1.2 and TLSv1.3 connections to
it (depending who is connecting), do I have to call both
SSL_CTX_set_ciphersuites() and SSL_CTX_set_cipher_list() when setting
up my context?
--
Skip Carter
Taygeta Scientific Inc.
--
openssl-users mailing list
To unsubscrib
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
> Grace Priscilla Jero
> Sent: Wednesday, November 15, 2017 09:42
> To: openssl-users@openssl.org
> Subject: Re: [openssl-users] Supported cipher suites
> Some of them that we tried does not
On 16/11/17 07:00, Viktor Dukhovni wrote:
> In the upcoming TLS 1.3 the ciphers are completely different from
> previous versions, and configuration via cipher strings was not
> implemented last I looked. This may have changed...
You have always been able to configure the TLSv1.3 ciphers via ci
> On Nov 16, 2017, at 1:51 AM, Grace Priscilla Jero
> wrote:
>
> How to check the default ciphers? We are not setting any ciphers in our code.
What specifically are you looking for?
The cipherlist sent to the server depends in part on which protocols
are enabled in the client, and as of Open
ead about some PSK ciphers which I am not sure depends on something
> else.
>
> Thanks,
> Grace
>
> On Wed, Nov 15, 2017 at 3:03 PM, Matt Caswell wrote:
>
>>
>>
>> On 15/11/17 06:08, Grace Priscilla Jero wrote:
>> > Hi All,
>> > Do we have the e
Priscilla Jero wrote:
> > Hi All,
> > Do we have the exact list of cipher suites supported by default in
> > openssl for each of the below in 1.1.0g version of openSSL.
> >
> > TLS 1.0
> > TLS 1.1
> > TLS 1.2
> > DTLS 1.0
> > DTLS 1.2
>
> You
On 15/11/17 06:08, Grace Priscilla Jero wrote:
> Hi All,
> Do we have the exact list of cipher suites supported by default in
> openssl for each of the below in 1.1.0g version of openSSL.
>
> TLS 1.0
> TLS 1.1
> TLS 1.2
> DTLS 1.0
> DTLS 1.2
You can use the command
Hi All,
Do we have the exact list of cipher suites supported by default in openssl
for each of the below in 1.1.0g version of openSSL.
TLS 1.0
TLS 1.1
TLS 1.2
DTLS 1.0
DTLS 1.2
Thanks,
Grace
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Hi,
I'm looking for a DTLS solution that supports a specific set of cipher
suites. There is a listing (link below, not sure for which openssl
version?) where I found some of them, but still I did not find the
following ones:
TLS_ECDH_ANON_WITH_AES_128_CBC_S
r. wrote:
>
> >
> > AFAIK, you could limit it to the appropriate cipher suites, but be aware
> > that FIPS 140 is all about proving that only certain known and tested
> > [implementations of] algorithms are used. It???s unlikely that another
> > version of OpenSSL would us
On Thu, Feb 04, 2016, Thomas Francis, Jr. wrote:
>
> AFAIK, you could limit it to the appropriate cipher suites, but be aware
> that FIPS 140 is all about proving that only certain known and tested
> [implementations of] algorithms are used. It???s unlikely that another
> ver
ke it. :)
> As a semi-related question, would a non-FIPS OpenSSL installation still
> enforce the same cipher suites but just not be 'officially' validated?
AFAIK, you could limit it to the appropriate cipher suites, but be aware that
FIPS 140 is all about proving that only certa
> there more to FIPS_mode than I am aware of or would it be functionally
> equivalent to simply set my ciphers to something like 'FIPS:!aNULL:!eNULL'?
>
> As a semi-related question, would a non-FIPS OpenSSL installation still
> enforce the same cipher suites but just not
equivalent to simply set my
ciphers to something like 'FIPS:!aNULL:!eNULL'?
As a semi-related question, would a non-FIPS OpenSSL installation still
enforce the same cipher suites but just not be 'officially' validated?
Thanks!
-LJK
_
: Re: [openssl-users] [openssl-dev] Elliptical Cipher Suites
On Wed, Oct 07, 2015 at 01:54:40PM +, Thirumal, Karthikeyan wrote:
> Vik
That's not my name.
> Am using 0.9.8a version. Am trying to fix few weak ciphers in my SSL
> connection and also to make Elliptical cipher suites en
On Wed, Oct 07, 2015 at 01:54:40PM +, Thirumal, Karthikeyan wrote:
> Vik
That's not my name.
> Am using 0.9.8a version. Am trying to fix few weak ciphers in my SSL
> connection and also to make Elliptical cipher suites enable.
> I see that ECDHE ciphers are elliptical -
Vik
Am using 0.9.8a version. Am trying to fix few weak ciphers in my SSL connection
and also to make Elliptical cipher suites enable.
I see that ECDHE ciphers are elliptical - need more info on this.
Thanks & Regards
Karthikeyan Thirumal
-Original Message-
Hi Pratyush,
Had a quick search in the source, seems like "no-exp" doesn't change
anything. OPENSSL_NO_EXP is defined(by opensslconf.h) when "no-exp" is
specified with Configuration command, however, it is not used at all.
Regards
Way
On 17/07/15 03:19, pratyush parimal wrote:
Hi everyone,
Hi everyone,
I am trying to disable the EXPORT ciphers in my OpenSSL code, during
compile-time.
I'm able to do so at runtime by including '!EXP' in the string I use with
SSL_CTX_set_cipher_list(). However, I'm wondering is there an option (like
'no-rc5') that I can pass to Configure?
./Configure
>From: owner-openssl-us...@openssl.org On Behalf Of Yijun Wu
>Sent: Tuesday, 27 August, 2013 01:07
>It seems that when DHE-related cipher suites are used connection
>can not be established if the dhparam is not set on the server side.
>However, when dhparam is set on the
Hi there,
It seems that when DHE-related cipher suites are used connection can not
be established if the dhparam is not set on the server side. However, when
dhparam is set on the server side the connection can always be established
regardless of whether it is set on the client side. Of course
Thanks Dave. Yep the other person is my senior and since I didn't have an
user forum registration at that moment, so asked him to drop the question
on my behalf.
Sorry for the inconvenience.
Regards
Tanmoy Sinha
http://tanmoyspeaks.blogspot.com
On Mon, Jul 1, 2013 at 4:04 AM, Dave Thompson wr
>From: owner-openssl-us...@openssl.org On Behalf Of Tanmoy Sinha
>Sent: Friday, 28 June, 2013 04:29
>I am using a client application program which uses OpenSSL version
>1.0.0h. I configured TLSv1.2 and I have set the cipher suite only as
>TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 [...but] Client He
Hi,
I am using a client application program which uses OpenSSL version
1.0.0h. I configured TLSv1.2 and I have set the cipher suite only as
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 (i.e. ECDH-ECDSA-AES128-SHA256)
using the API SSL_CTX_set_cipher_list().
But what I find in packet capture, is
On Fri, Jun 28, 2013, Dave Thompson wrote:
>
> 1.0.1c and I believe earlier but not tested had several bugs
> in selecting kECDH and TLSv1.2 ciphers fixed in 1.0.1e.
> (Also kDH, but those aren't implemented anyway.)
>
Actually fixed DH is implemented now.
Steve.
--
Dr Stephen N. Henson. Ope
>From: owner-openssl-us...@openssl.org On Behalf Of Suryya Kumar Jana
>Sent: Friday, 28 June, 2013 05:34
>I am using a client application program which uses OpenSSL version
>1.0.0h. I configured TLSv1.2 and I have set the cipher suite only as
>TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 (i.e. ECDH-EC
Hi,
I am using a client application program which uses OpenSSL version
1.0.0h. I configured TLSv1.2 and I have set the cipher suite only as
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 (i.e. ECDH-ECDSA-AES128-SHA256)
using the API SSL_CTX_set_cipher_list().
But what I find in packet capture, is
I'm going to try this questions again because it seems like there are some
anomalies in the OpenSSL implementation: which cipher suites are available in
which versions of SSL/TLS?
Using Appendix A.5 from the TLS 1.0, 1.1, and 1.2 RFCs, it looks to me as
though there are some cipher suit
Ahhh, it looks like Appendix A.5 answers my questions more easily than Appendix
C.
I believe these are the answers:
In fact, TLS 1.1 does prohibit the use of the export cipher suites in TLS 1.0.
So there are effectively a few (9 by my count) cipher suites that supported in
TLS 1.0 that are
I'm a little confused about which cipher suites are supported by which SSL/TLS
protocol versions.
I'm using Appendix C of the TLS 1.0, 1.1, and 1.2 RFCs, respectively, as a
starting point for which cipher suites are supported in which version of the
protocol, but I'm not sure h
On Fri, 15 Feb 2013, Joel Dice wrote:
On Fri, 15 Feb 2013, Joel Dice wrote:
On Thu, 14 Feb 2013, Dr. Stephen Henson wrote:
On Thu, Feb 14, 2013, Joel Dice wrote:
Although OpenSSL seems to allow CBC-based suites with DTLS, from
what I've read a block in a CBC stream can't be properly decode
On Fri, 15 Feb 2013, Joel Dice wrote:
On Thu, 14 Feb 2013, Dr. Stephen Henson wrote:
On Thu, Feb 14, 2013, Joel Dice wrote:
Although OpenSSL seems to allow CBC-based suites with DTLS, from
what I've read a block in a CBC stream can't be properly decoded
without the prior block being availabl
On Thu, 14 Feb 2013, Dr. Stephen Henson wrote:
On Thu, Feb 14, 2013, Joel Dice wrote:
Although OpenSSL seems to allow CBC-based suites with DTLS, from
what I've read a block in a CBC stream can't be properly decoded
without the prior block being available
(http://en.wikipedia.org/wiki/Cipher_
Hi all,
I've been experimenting with the DTLS support in OpenSSL recently and
discovered that my application was receiving garbage data when packets
were lost or reordered. Closer inspection explained why: I was only
enabling cipher suites which either used stream ciphers like RC4 or
se: I was only enabling cipher suites which either used
> stream ciphers like RC4 or block ciphers like AES with block
> chaining. Although OpenSSL automatically disabled RC4, it did not
> disable AES with CBC, and I'm trying to understand how it's supposed
> to work.
>
&g
Hi all,
I've been experimenting with the DTLS support in OpenSSL recently and
discovered that my application was receiving garbage plaintext when
packets were lost or reordered. Closer inspection suggested a possible
cause: I was only enabling cipher suites which either used stream ci
dshake the client
suggests a list of cipher suites (and then negotiation occurs).
I want to know what the client suggested.
In text (or with ways to translate bits to said text/acronyms).
Is there a trivial way to do this?
I want to expose the nature of the negotiation:
* it said: A, B, C or D (th
Hi OpenSSLers,
During the TLS handshake the client
suggests a list of cipher suites (and then negotiation occurs).
I want to know what the client suggested.
In text (or with ways to translate bits to said text/acronyms).
Is there a trivial way to do this?
I want to expose the nature of the
On 05/14/2012 02:59 PM, marek.marc...@malkom.pl wrote:
Hello,
$ openssl version
OpenSSL 1.0.0 29 Mar 2010
$ openssl ciphers -V
For SRP one should use the 1.0.1 version.
openssl version
OpenSSL 1.0.1 14 Mar 2012
openssl ciphers SRP
SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CB
spond to
> openssl-users@openssl.org
>
> To
>
> "openssl-users@openssl.org"
>
> cc
>
> Subject
>
> Are those TLS-SRP cipher suites supported?
>
> Does OpenSSL support these cipher suites (TLS-SRP)?
> 0xc0, 0x20 TLS_SRP_
On 5/9/2012 9:46 AM, nilesh wrote:
Hi,
In the SSL3.0 man page it is mentioned that the export type of cipher
suites are no longer supported.
US government has lifted the export restrictions.
Could someone please clarify what exactly is meant by export
restrictions? And are these cipher
Hi,
In the SSL3.0 man page it is mentioned that the export type of cipher
suites are no longer supported.
US government has lifted the export restrictions.
Could someone please clarify what exactly is meant by export
restrictions? And are these cipher suites no longer commonly used
l.org"
Sent: Tuesday, March 20, 2012 4:36 PM
Subject: Adding new cipher suites to Openssl
I would like to experiment with the PSK cipher suites defined in RFC 5487
(http://tools.ietf.org/html/rfc5487) and I am struggling to add support for
these in Openssl. I am only interested in th
I would like to experiment with the PSK cipher suites defined in RFC 5487
(http://tools.ietf.org/html/rfc5487) and I am struggling to add support for
these in Openssl. I am only interested in the variants compatible with TLS 1.1 :
CipherSuite TLS_PSK_WITH_AES_128_CBC_SHA256
On Fri, Nov 4, 2011 at 5:23 PM, John Foley wrote:
> None of the ECDH-RSA cipher suites appear to work in 0.9.8r. Yet they
> work in 1.0.0. Is this expected?
>
Yes -- the OpenSSL 0.9.8 branch includes basic support for elliptic-curve
cryptography, but TLS integration wasn't fini
None of the ECDH-RSA cipher suites appear to work in 0.9.8r. Yet they
work in 1.0.0. Is this expected?
Looking at s3_lib.c, all the older DH-RSA cipher suites are disabled
(SSL_CIPHER->valid=0). But the ECDH-RSA ciphers listed in s3_lib.c are
enabled. This leads to the following questions:
Thanks Ram,
Another question too,
After exchanging the client and server hello , On what basis is the common
cipher agreed upon?
-mithun
On Sat, Nov 5, 2011 at 9:26 AM, wrote:
> By default it will send all the ciphersuites it is supporting , but you
> can always control the cipher
By default it will send all the ciphersuites it is supporting , but you
can always control the cipher suites you want negotiate by using something
like below ...
here it will set only Non_anonymous and RSA type ciphersuites
if (!SSL_CTX_set_cipher_list(*ctx,
"RSA:!ADH:!NULL:!aNULL!RC4
Thanks Ram,
i have another question,
When the client sends "client hello" will it specify all the cipher suites
it supports or are there any other parameters that can be configured at the
client so that it sends selective list of cipher suites?
-Thanks
mithun
On Sat, Nov 5, 2011
You can check the supported cipher suites by looking in to client hello
messsage.
Regards,
Ram
> Hello Forum,
>
> I want to know what are the cipher suites that the client is supporting.
> How can i do that?
Hello Forum,
I want to know what are the cipher suites that the client is supporting.
How can i do that?
-mithun
> From: owner-openssl-us...@openssl.org [mailto:owner-openssl-
> us...@openssl.org] On Behalf Of Richard Könning
> Sent: Wednesday, October 12, 2011 7:20 PM
> To: openssl-users@openssl.org
> Subject: Re: Regarding cipher suites in SSLv3.
>
> Am 12.10.2011 15:29, schrieb nile
Am 12.10.2011 15:29, schrieb nilesh:
Hi,
I am writing some code for decryption of https data.
Currently I have planned to support SSLv3 with AES, 3DES and RC4
algorithms only.
Below are the cipher suites in SSLv3. I am looking for information on
which of these suites are commonly used.
SSLv3
Hi,
I am writing some code for decryption of https data.
Currently I have planned to support SSLv3 with AES, 3DES and RC4
algorithms only.
Below are the cipher suites in SSLv3. I am looking for information on
which of these suites are commonly used.
SSLv3 implements all of them, but I have
oss a handful of DH certificates so far. They are awkward to generate
> too: you need a different algorithm to handle certificate requests (as you
> can't sign with the base algorithm). I'm not aware of any public CA that
> issues DH certifictes.
Thank you very much for conformin
On Wed, May 19, 2010, Ingela Andin wrote:
>
> >From OpenSSL documentation:
> "The non-ephemeral DH modes are currently unimplemented in OpenSSL
> because there is no support for DH certificates."
>
> Question: Why is this? Is it something that you plan to implement? Or
> is this functionallity
>
hing that you plan to implement? Or
is this functionallity
something that is not widly used so you choose not to implement it?
Second I like to know your opinion on how important it is to support
export cipher suites for
TLS-1.0 and SSL-v3? Do you think it would be an issue if we decided
not to
On Sat, Dec 27, 2008 at 08:42:19PM -0500, Hector Santos wrote:
> I'm finally catching up and updating our OPENSSL *.dll distribution
> with the latest build (0.9.8i). We had 0.9.8a (2006 time frame)
>
> The main reason is because we got inquiries regarding AES and SSL3 and
Hi,
I'm finally catching up and updating our OPENSSL *.dll distribution
with the latest build (0.9.8i). We had 0.9.8a (2006 time frame)
The main reason is because we got inquiries regarding AES and SSL3 and
cipher suites.
I am trying to recall all our work, but I thought we had s
Dear All,
Thank you Dr. Stephen Henson for your Help.
I want to enable some selected cipher suite like
TLS_RSA_WITH_AES_256_CBC_SHA.
Can it is possible. I selected some specific Algorithm RSA, 3DES, AES,DES,
SHA and MD5.
So I want to enable cipher suite which support to above algorithms only. C
--- On Thu, 5/15/08, Chris Clark <[EMAIL PROTECTED]> wrote:
> From: Chris Clark <[EMAIL PROTECTED]>
> Subject: Re: RC4-MD5 cipher suites rep;acement
> To: openssl-users@openssl.org
> Received: Thursday, May 15, 2008, 1:46 PM
> On 5/15/08, PoWah Wong <[EM
I'm not clear on what your goal is, but if you are writing both the
client and server applications that communicate only with each other
then you would be fine supporting only specific cipher suites such as
AES, but if you are writing only one end of it (client or server),
then be aware that AES
--- On Thu, 5/15/08, Chris Clark <[EMAIL PROTECTED]> wrote:
> From: Chris Clark <[EMAIL PROTECTED]>
> Subject: Re: RC4-MD5 cipher suites rep;acement
> To: openssl-users@openssl.org
> Received: Thursday, May 15, 2008, 11:22 AM
> On 5/15/08, PoWah Wong <[EMAIL PROTEC
On 5/15/08, PoWah Wong <[EMAIL PROTECTED]> wrote:
> Is there some cipher suites more secure than SSL_RSA_WITH_RC4_128_MD5
> (RC4-MD5) so that they should replace RC4-MD5?
The AES 256-bit cipher suites are not only more secure then RC4, they
are also much faster
Is there some cipher suites more secure than SSL_RSA_WITH_RC4_128_MD5 (RC4-MD5)
so that they should replace RC4-MD5?
__
Looking for the perfect gift? Give the gift of Flickr!
http://www.flickr.com/gift
hi ,
I tried to compare the ciphersuites of public key exchange & pre
shared key exchange
I tried to find the PSK ciphersuites and also when i used the openssl command
openssl s_client -connect localhost:443 -psk 1a2b3c
I get error message unknown option -psk
But in the documents we
On 2007.05.23 at 17:30:50 +0200, Yves Rutschle wrote:
> Hi,
>
> I'm trying to work out the relationship between a cipher
> suite, and the encrypters available in OpenSSL. For example,
There is almost no relationship, except that if no encrypter is
available, cipher suite which uses this encrypti
Hi,
I'm trying to work out the relationship between a cipher
suite, and the encrypters available in OpenSSL. For example,
in OpenSSL 0.9.8e I see there is blowfish encryption
available (in `openssl enc`), yet none of the bf variants
appear in the cipher suite list (`openssl ciphers`).
So, where d
Dear,
Le 04-déc.-06 à 19:15, Victor Duchovni a écrit :
TLS includes anonymous cipher-suites (ADH) that do not require or use
server certificates. Postfix 2.3 clients using opportunistic TLS with
Postfix 2.3 (SMTP+STARTTLS) servers will use anonymous ciphers by
default, because SMTP server
Lutz Jaenicke wrote:
> Please have a look into SSL_OP_CIPHER_SERVER_PREFERENCE available
> via SSL_CTX_set_options().
Thank you very much!
Arno Garrels
__
OpenSSL Project http://www.openssl.org
Use
On Fri, Oct 20, 2006 at 08:44:25PM +0200, Arno Garrels wrote:
> Hello,
>
> How to force negotiation of AES256-SHA without disabling the
> AES128-SHA at the server-side when a client sends AES128-SHA
> as its first preference and AES256-SHA as second?
Please have a look into SSL_OP_CIPHER_SERVER_P
Hello,
How to force negotiation of AES256-SHA without disabling the
AES128-SHA at the server-side when a client sends AES128-SHA
as its first preference and AES256-SHA as second?
Thanks,
Arno Garrels
__
OpenSSL Project
> If nothing else, you can implement your own interpretation of "HIGH"
> and "MEDIUM", and then for MEDIUM as specified by the user change the
> string passed to the cipher setup function to include "MEDIUM+" and
> the AES128 algorithm names.
Thanks Kyle. After giving this some thought I can see i
Hi Richard,
> The docs are outdated. AES is strong.
That makes sense. In that case I could let users choose either MEDIUM
or "Strong" along with which Cipher group (RC4, 3DES, DES, AES).
Of course if they choose Medium and only AES, they would not have any
cipher in the result list, so I could
If nothing else, you can implement your own interpretation of "HIGH"
and "MEDIUM", and then for MEDIUM as specified by the user change the
string passed to the cipher setup function to include "MEDIUM+" and
the AES128 algorithm names.
-Kyle H
On 1/28/06, Chris Clark <[EMAIL PROTECTED]> wrote:
> H
The docs are outdated. AES is strong.
--
SOA Appliance Group
IBM Application Integration Middleware
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-u
Hi Steve,
> Also there are grounds for classifying AES in general as "stronger" (for some
> value of stronger) due its 128 bit block length compared to the other block
> ciphers which have a 64 bit block length.
So I won't be able to use the MEDIUM and HIGH settings to let the
users choose betwee
On Sat, Jan 28, 2006, Chris Clark wrote:
>
> I was hoping for a simpler solution, so rather then letting users
> choose the exact cipher suite names they could simply choose between
> AES, 3DES, DES, RC4, and they could also choose if they want MEDIUM
> (128 bit) encryption, or HIGH (greater the
Hi Richard,
> The openssl "ciphers" command shows the text format of the cipher suites
> supported Allow you users to choose from (a subset of) that list, and
> set the env var or config param appropriately. Like PATH, it's a
> colon-separated list in order of pri
The openssl "ciphers" command shows the text format of the cipher suites
supported Allow you users to choose from (a subset of) that list, and
set the env var or config param appropriately. Like PATH, it's a
colon-separated list in order of priority.
/r$
--
SOA
Hi Richard,
> The high medium and low are arbitrary terms, and date back to then the US
> had stricter export controls on cryptography.
>
> Ignore them.
But I want my client/server application to allow users to select the
level of encryption they wish to use. It is my understanding that 128
bit A
The high medium and low are arbitrary terms, and date back to then the US
had stricter export controls on cryptography.
Ignore them.
/r$
--
SOA Appliance Group
IBM Application Integration Middleware
__
OpenSSL Project
According to the documentation, "medium" encryption cipher suites are
those that use 128 bit encryption, and "high" suites are those that use
higher then 128 bits...
Why is it that when I select a "medium" set of cipher suites, it will never
include any AES ciphe
Hi,
I have a TLS 1.0 client which supports AES cipher suites defined in RFC3268.
However, when it connects to a TLS server using OpenSSL 0.97. It gets a TLS
fatal alert, 20 (bad record MAC). I saw the version is 3.1 and the cipher
suite ID is 0x00 0x35 (TLS_RSA_WITH_AES_256_CBC_SHA) in the server
, 2003 9:19 PM
Subject:
Re: Cipher Suites explanation
Neil Humphreys wrote:
My app is a listening server
with 2 ports. The less secure one is for performance, when it doesn't
matter if someone sees the data being sent, so it is not worth
encrypting/decry
1 - 100 of 112 matches
Mail list logo
