Cipher preference, openssl vs browsers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 19/07/2016 11:16, Bogdan Harjoc wrote:
> When connecting to a TLS1.2 webserver that uses a weak 512 bit DH key,
> I noticed that browsers select
>
>    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
>    (chrome, firefox)
>
> and openssl due to the ciphers list selects
>
>    TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
>
> openssl s_client -connect 112.175.90.160:443 -cipher
> DEFAULT
> :!EDH-RSA-DES-CBC3-SHA
> :!DHE-RSA-AES128-GCM-SHA256
> :!DHE-RSA-AES256-GCM-SHA384
> :!DHE-RSA-AES128-SHA256
> :!DHE-RSA-AES128-SHA
> :!DHE-RSA-AES256-SHA256
> :!DHE-RSA-AES256-SHA
> :-ECDH
> :-EXPORT:-DES:-SEED:-RC4:-PSK:-IDEA
> :ECDHE-RSA-AES128-SHA
>
> The error is: dh key too small:.\ssl\s3_clnt.c:3424.
>
>  From a client that uses openssl libs, what would the correct
> workaround be ? Try to figure out that the DH key is too small and
> retry with the DHE ciphers disabled ? Or reorder the ciphers ? Given
> that cipher order can lead to failed handshakes, is there a correct
> order for https clients ?
I am not sure, but I guess those browsers default to listing ECDHE
before EDHE, thus never notices the weak DH group parameters (not
key, OpenSSL error message is misleading).

You could try testing those particular versions of chrome and firefox
against https://www.ssllabs.com/ssltest/viewMyClient.html to see what
their cipher list is.

Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 S?borg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux