On 24/02/2020 13:04, Phani 2004 wrote: > Hi Team, > > "aes_cbc_hmac_sha1" implementation is currently supported on x86 > platforms only. > With which RFC is this compliant with? > This cipher is only used when the "encrypt then mac" option is disabled. > Is this understanding correct. I am using openssl s_server and s_client > is i use the below command on client side. > > openssl s_client -connect 10.29.20.26 -cipher ECDHE-RSA-AES128-SHA -tls1_ > > Is this correct? > I have following queries: > > 1. With which RFC is the current aes_cbc_hmac_sha1 implementation > compliant with? Its a cipher used by AES128 and HMAC-SHA1 based ciphersuites compliant with TLSv1.2 (RFC5246) and earlier TLS protocol versions. > 2. It always does "mac then encrypt". Infact this cipher is invoked > only when "encrypt then mac" flag is disabled. Is this correct? Correct. We always try to do encrypt-then-mac by default so s_client talking to s_server from the same OpenSSL version should never use this ciphersuuite > 3. Is the cipher i used in above s_client command correct? > openssl s_client -connect 10.29.20.26 -cipher ECDHE-RSA-AES128-SHA -tls1_ The "-tls_" on the end is incorrect - that's not a valid flag. Perhaps you meant "-no_tls1_3" which would be fine. That's still not sufficient to guarantee usage of the aes_cbc_hmac_sha1 cipher though because Encrypt-then-mac will always be preferred. I don't think there is a command line option to s_client to force that off, although you can do it through a config file using the "EncryptThenMac" option. Matt > Thanks in advance. > > Regards > Phani
