Hi Matt, Thanks a lot for the response. Is your application a client or a server? Are both ends using OpenSSL 1.0.2d? If not, what is the other end using? >>Our device has both TLS client,server apps. As client, device communicates with radius server, LDAP server etc.As server device is accessed using various web browsers. Hence both the end will not be OpenSSL 1.0.2d. How exactly are you doing that? Which specific cipher are you seeing fail? >> We have provided user option to select TLS protocol versions similar to the browsers. Depending upon the user configurations we set the protocol flags (SSL_OP_NO_TLSv1,SSL_OP_NO_TLSv1_1, SSL_OP_NO_TLSv1_2) in the SSL context using SSL_CTX_clear_options/SSL_CTX_set_options. >> We have provided user option to chose ciphers as well. All these are in the application space,no changes have been done and they have been working good with OpenSSL 1.0.1c. Only the library is upgraded to OpenSSL 1.0.2d.I have used AES256-CBC and AES128 CBC ciphers and with both the ciphers issue is seen. Are you able to provide a packet capture? >> Please find the attached traces for server mode. What O/S is this on? >>This is built for WinCE and Vxworks Regards Jaya On Fri, Dec 4, 2015 at 3:02 PM, Matt Caswell <matt at openssl.org> wrote: > Hello Jaya > > We're going to need some more information. There isn't a generic problem > with CBC ciphers and TLS1.0 in 1.0.2d (it's working fine for me) - so > there is something specific about your environment that is causing the > issue. Comments inserted below. > > On 04/12/15 06:53, Jayalakshmi bhat wrote: > > Hi All, > > > > > > > > Recently we have ported OpenSSL 1.0.2d. Everything works perfect except > > the below explained issue. > > Is your application a client or a server? Are both ends using OpenSSL > 1.0.2d? If not, what is the other end using? > > > > When we enable only TLS 1.0 protocol and select CBC ciphers, > > How exactly are you doing that? Which specific cipher are you seeing fail? > > > > Now my question is whatever I did is it correct? > > That would not be a recommended solution > > > Or Do need to replace > > complete s3_cbc.c with OpenSSL 1.0.1e? > > No. You cannot just copy and paste stuff from 1.0.1 to 1.0.2. > > Some other questions: > > Are you able to provide a packet capture? > How did you build OpenSSL...i.e. what "Configure" options did you use? > What O/S is this on? > > Matt > _______________________________________________ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151204/5954b2da/attachment.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: server.pcapng Type: application/octet-stream Size: 3692 bytes Desc: not available URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151204/5954b2da/attachment.obj>
