Re: AESCBC support in SSL

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Thanks Jakob. Thanks a lot.

On Wed, Nov 21, 2018 at 10:58 PM Jakob Bohm via openssl-users <openssl-users@xxxxxxxxxxx> wrote:
I think you missed the following:

Because CBC is the oldest block cipher mode in SSL and
TLS, the cipher suites using CBC don't include the
letters "CBC" in their names.They simply don't mention
a different mode (such as GCM or CCM).

For example ECDHE-RSA-AES128-SHA uses AES128 in CBC mode.

On 20/11/2018 10:54, ASHIQUE CK wrote:
> Hi,
> Any replys ?
>
> On Mon, Nov 19, 2018 at 11:39 AM ASHIQUE CK <ckashiquekvk@xxxxxxxxx
> <mailto:ckashiquekvk@xxxxxxxxx>> wrote:
>
>     Also I use OpenSSL 1.1.0h.
>
>     On Mon, Nov 19, 2018 at 11:36 AM ASHIQUE CK
>     <ckashiquekvk@xxxxxxxxx <mailto:ckashiquekvk@xxxxxxxxx>> wrote:
>
>         No, We use Ubuntu 16.04 OS
>
>         On Mon, Nov 19, 2018 at 11:34 AM Dmitry Belyavsky
>         <beldmit@xxxxxxxxx <mailto:beldmit@xxxxxxxxx>> wrote:
>
>             Do you use any RedHat-based OS?
>
>             On Mon, Nov 19, 2018 at 8:54 AM ASHIQUE CK
>             <ckashiquekvk@xxxxxxxxx <mailto:ckashiquekvk@xxxxxxxxx>>
>             wrote:
>
>                 Is it the problem with that strings or  TLS/SSL
>                 version or any other ?
>
>                 On Mon, Nov 19, 2018 at 11:12 AM ASHIQUE CK
>                 <ckashiquekvk@xxxxxxxxx
>                 <mailto:ckashiquekvk@xxxxxxxxx>> wrote:
>
>                     Hi,
>                     I had given all the cipher strings
>                     for  "SSL_CTX_set_cipher_list" which we get under
>                     the command 'openssl ciphers' that includes CBC,
>                     but any of them didnot worked. All of them showed
>                     the error "error:141640B5:SSL
>                     routines:tls_construct_client_hello:no ciphers
>                     available". I have used TLSv1_2 or SSLv23.
>                     Also I have tried setting  these strings for
>                     "SSLCipherSuite" at apache server configuration.
>                     But it makes no change for choosing the server
>                     default ciphersuit "ECDHE-RSA-AES256-GCM-SHA384".
>
>                     Thanks
>
>                     On Fri, Nov 16, 2018 at 9:15 PM Viktor Dukhovni
>                     <openssl-users@xxxxxxxxxxxx
>                     <mailto:openssl-users@xxxxxxxxxxxx>> wrote:
>
>
>
>                         > On Nov 16, 2018, at 7:45 AM, ASHIQUE CK
>                         <ckashiquekvk@xxxxxxxxx
>                         <mailto:ckashiquekvk@xxxxxxxxx>> wrote:
>                         >
>                         > Does SSL connection supports AESCBC?
>
>                         Yes, but not under that name.
>
>                         >  I could not set AESCBC in
>                         "SSL_CTX_set_cipher_list" at client side or in
>                         "SSLCipherSuite" at apache server side.
>
>                         For example (constrained also to RSA and ECDHE
>                         to keep the list short):
>
>                           $ openssl ciphers -v
>                         'AES128+aRSA+kECDHE:!AESGCM'
>                           ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH
>                         Au=RSA Enc=AES(128) Mac=SHA256
>                           ECDHE-RSA-AES128-SHA TLSv1 Kx=ECDH Au=RSA
>                         Enc=AES(128) Mac=SHA1
>
>                         There isn't a cipherlist property that
>                         specifically selects CBC, so to
>                         get *only* CBC, you need to exclude AESGCM
>                         (and perhaps also AESCCM).
>
Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux