> On Apr 19, 2017, at 12:48 PM, Joseph Southwell <jsouthwell@xxxxxxxxxxxxx> wrote: > > Sorry we did do that. It just didn’t look different so I didn’t send it (pasted below). I also have asked for help from the server admin but it is a non English speaking country and they don’t seem to be interested in talking to me. I have another product supposedly using OpenSSL that is currently working fine so it must be possible. That product is using 0.9.8something. The "0.9.8something" releases support RC4, 3DES, export ciphers, ... OpenSSL 1.1.0 does not by default include any of these. You can get RC4 and 3DES by compiling with weak ciphers enabled, the EXPORT ciphers are expunged from the code. > So specifying -cipher "AES128-SHA” will cause it to not use DHE? Yes, it will offer just that single ciphersuite "0x002f" and nothing else. If that does not work, the claim that the server supports RSA with AES-128-CBC is not credible. To find out what it does support, build OpenSSL 1.0.2, and try connecting with that version of "s_client". Another thing to try is sending an SNI name (-servername ...), perhaps the server wants to see that, though it seems very unlikely for FTP. You could also try restricting the protocol to TLS 1.0, perhaps the server mishandles TLS 1.2 and/or TLS 1.1: ... -no_tls1_2 -no_tls1_1 -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
