Re: AESCBC support in SSL

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I think you missed the following:

Because CBC is the oldest block cipher mode in SSL and
TLS, the cipher suites using CBC don't include the
letters "CBC" in their names.They simply don't mention
a different mode (such as GCM or CCM).

For example ECDHE-RSA-AES128-SHA uses AES128 in CBC mode.

On 20/11/2018 10:54, ASHIQUE CK wrote:
Hi,
Any replys ?

On Mon, Nov 19, 2018 at 11:39 AM ASHIQUE CK <ckashiquekvk@xxxxxxxxx <mailto:ckashiquekvk@xxxxxxxxx>> wrote:

    Also I use OpenSSL 1.1.0h.

    On Mon, Nov 19, 2018 at 11:36 AM ASHIQUE CK
    <ckashiquekvk@xxxxxxxxx <mailto:ckashiquekvk@xxxxxxxxx>> wrote:

        No, We use Ubuntu 16.04 OS

        On Mon, Nov 19, 2018 at 11:34 AM Dmitry Belyavsky
        <beldmit@xxxxxxxxx <mailto:beldmit@xxxxxxxxx>> wrote:

            Do you use any RedHat-based OS?

            On Mon, Nov 19, 2018 at 8:54 AM ASHIQUE CK
            <ckashiquekvk@xxxxxxxxx <mailto:ckashiquekvk@xxxxxxxxx>>
            wrote:

                Is it the problem with that strings or  TLS/SSL
                version or any other ?

                On Mon, Nov 19, 2018 at 11:12 AM ASHIQUE CK
                <ckashiquekvk@xxxxxxxxx
                <mailto:ckashiquekvk@xxxxxxxxx>> wrote:

                    Hi,
                    I had given all the cipher strings
                    for  "SSL_CTX_set_cipher_list" which we get under
                    the command 'openssl ciphers' that includes CBC,
                    but any of them didnot worked. All of them showed
                    the error "error:141640B5:SSL
                    routines:tls_construct_client_hello:no ciphers
                    available". I have used TLSv1_2 or SSLv23.
                    Also I have tried setting  these strings for
                    "SSLCipherSuite" at apache server configuration.
                    But it makes no change for choosing the server
                    default ciphersuit "ECDHE-RSA-AES256-GCM-SHA384".

                    Thanks

                    On Fri, Nov 16, 2018 at 9:15 PM Viktor Dukhovni
                    <openssl-users@xxxxxxxxxxxx
                    <mailto:openssl-users@xxxxxxxxxxxx>> wrote:



                        > On Nov 16, 2018, at 7:45 AM, ASHIQUE CK
                        <ckashiquekvk@xxxxxxxxx
                        <mailto:ckashiquekvk@xxxxxxxxx>> wrote:
                        >
                        > Does SSL connection supports AESCBC?

                        Yes, but not under that name.

                        >  I could not set AESCBC in
                        "SSL_CTX_set_cipher_list" at client side or in
                        "SSLCipherSuite" at apache server side.

                        For example (constrained also to RSA and ECDHE
                        to keep the list short):

                          $ openssl ciphers -v
                        'AES128+aRSA+kECDHE:!AESGCM'
                          ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH
                        Au=RSA Enc=AES(128) Mac=SHA256
                          ECDHE-RSA-AES128-SHA TLSv1 Kx=ECDH Au=RSA
                        Enc=AES(128) Mac=SHA1

                        There isn't a cipherlist property that
                        specifically selects CBC, so to
                        get *only* CBC, you need to exclude AESGCM
                        (and perhaps also AESCCM).

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux