Re: Help with ssl error

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Apr 18, 2017 at 05:06:40PM +0000, Viktor Dukhovni wrote:

> The ClientHello decodes via tshark as:
> 
> [...]
>                 Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
>                 Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
>                 Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
>                 Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
> [...]
> 
> This is a modern ClientHello (OpenSSL 1.1.0 it seems) and should
> be broadly interoperable.  The DEFAULT cipherlist includes only
> AES, is there a chance that the server only supports RC4 and/or
> 3DES?
> 
> Try:
> 
>     $ openssl s_client -state -msg -cipher ALL \
>         -connect ftp.echannel.banksys.be:16370 -starttls ftp
> 
> Capture a PCAP file of the traffic with
> 
>     # tcpdump -s0 -w /some/file tcp port 16370
> 
> and post the the decode from:
> 
>     $ tshark -r /tmp/p2 -d tcp.port==16370,ssl -V |
>         sed -ne '/^Secure Sockets Layer/,/^$/p'
> 
> Or just attach the PCAP file to your follow-up message.

On Wed, Apr 19, 2017 at 10:53:27AM -0400, Joseph Southwell wrote:

> Is there a way to enable one or both of those ciphers in OpenSSL?
> 
> > On Apr 18, 2017, at 1:28 PM, Jason Schultz <jetson23@xxxxxxxxxxx> wrote:
> > 
> > RSA_With_AES_128_CBC_SHA and RSA_With_3DES_EDE_CBC_SHA

With so many different names for the underlying TLS ciphersuites
one can only guess which ones are the same.  That said, I'd say
that the first one on your list is enabled by default, and was used
in your TLS ClientHello (TLS_RSA_WITH_AES_128_CBC_SHA 0x002f).

It is possible that (despite any claims to the contrary) the server
only supports the 3DES ciphersuite above, in which case you need
either OpenSSL 1.0.2 or a build of OpenSSL 1.1.0 with the Configure
option "--enable-weak-ssl-ciphers".   The 3DES TLS ciphers are by
default disabled at compile-time in OpenSSL 1.1.0 and later.

I did suggest the "-cipher ALL" option as a first place to start to
find out what the server actually supports.  I'm puzzled as to why
you've not tried that yet.

A more exotic scenario is that the server is configured with a weak
DHE group and having chosen DHE decides that the group is too weak.
In that case you could try just the purported AES cipher:

	-cipher "AES128-SHA"

The name was obtained via:

    $ openssl ciphers -V ALL | grep 0x00,0x2F
      0x00,0x2F - AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1

Finally, you really should ask for help from the server administrator
they should have useful data in their logs.

-- 
	Viktor.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux