On Tue, Apr 18, 2017 at 05:06:40PM +0000, Viktor Dukhovni wrote: > The ClientHello decodes via tshark as: > > [...] > Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) > Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) > Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) > Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) > [...] > > This is a modern ClientHello (OpenSSL 1.1.0 it seems) and should > be broadly interoperable. The DEFAULT cipherlist includes only > AES, is there a chance that the server only supports RC4 and/or > 3DES? > > Try: > > $ openssl s_client -state -msg -cipher ALL \ > -connect ftp.echannel.banksys.be:16370 -starttls ftp > > Capture a PCAP file of the traffic with > > # tcpdump -s0 -w /some/file tcp port 16370 > > and post the the decode from: > > $ tshark -r /tmp/p2 -d tcp.port==16370,ssl -V | > sed -ne '/^Secure Sockets Layer/,/^$/p' > > Or just attach the PCAP file to your follow-up message. On Wed, Apr 19, 2017 at 10:53:27AM -0400, Joseph Southwell wrote: > Is there a way to enable one or both of those ciphers in OpenSSL? > > > On Apr 18, 2017, at 1:28 PM, Jason Schultz <jetson23@xxxxxxxxxxx> wrote: > > > > RSA_With_AES_128_CBC_SHA and RSA_With_3DES_EDE_CBC_SHA With so many different names for the underlying TLS ciphersuites one can only guess which ones are the same. That said, I'd say that the first one on your list is enabled by default, and was used in your TLS ClientHello (TLS_RSA_WITH_AES_128_CBC_SHA 0x002f). It is possible that (despite any claims to the contrary) the server only supports the 3DES ciphersuite above, in which case you need either OpenSSL 1.0.2 or a build of OpenSSL 1.1.0 with the Configure option "--enable-weak-ssl-ciphers". The 3DES TLS ciphers are by default disabled at compile-time in OpenSSL 1.1.0 and later. I did suggest the "-cipher ALL" option as a first place to start to find out what the server actually supports. I'm puzzled as to why you've not tried that yet. A more exotic scenario is that the server is configured with a weak DHE group and having chosen DHE decides that the group is too weak. In that case you could try just the purported AES cipher: -cipher "AES128-SHA" The name was obtained via: $ openssl ciphers -V ALL | grep 0x00,0x2F 0x00,0x2F - AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 Finally, you really should ask for help from the server administrator they should have useful data in their logs. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users