AES Ciphers in OpenSSL 0.9.8a

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

AES Ciphers in OpenSSL 0.9.8a

Vijay K. Gurbani
Hi:

I am trying to enable the following AES cipher suites in TLS:

   TLS_RSA_WITH_AES_256_CBC_SHA
   TLS_RSA_WITH_AES_128_CBC_SHA
   TLS_RSA_WITH_3DES_EDE_CBC_SHA

I can get the last one, but cannot seem to get the first two.
Here is the SSL context being set up by the client (note the
cipher suite list string):

    SSL_CTX *ctx;

    ctx = SSL_CTX_new(SSLv23_method());
    if (ctx)
    {
      SSL_CTX_set_options(ctx, SSL_OP_ALL|SSL_OP_NO_SSLv2);
    }
    if (SSL_CTX_set_cipher_list(ctx,
        "ALL:!DH:!EXP:!RC4:@STRENGTH") != 1)
    {
        //...
    }

When I use the same cipher list from the "openssl" command
line, it appears that the ciphers are there (AES256-SHA and
AES128-SHA):

$ openssl ciphers -v 'ALL:!DH:!EXP:!RC4:@STRENGTH'
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
DES-CBC3-MD5            SSLv2 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=MD5
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
IDEA-CBC-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=IDEA(128) Mac=SHA1
IDEA-CBC-MD5            SSLv2 Kx=RSA      Au=RSA  Enc=IDEA(128) Mac=MD5
RC2-CBC-MD5             SSLv2 Kx=RSA      Au=RSA  Enc=RC2(128)  Mac=MD5
DES-CBC-SHA             SSLv3 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=SHA1
DES-CBC-MD5             SSLv2 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=MD5

Here is a dump from ssldump (note the two "Unknown value"
ciphers; they appear to correspond to AES_256 and AES_128):

   New TCP connection #1: 127.0.0.1(53991) <-> 127.0.0.1(9991)
   1 1  0.0006 (0.0006)  C>S  Handshake
         ClientHello
           Version 3.1
           cipher suites
           Unknown value 0x35
           TLS_RSA_WITH_3DES_EDE_CBC_SHA
           Unknown value 0x2f
           TLS_RSA_WITH_IDEA_CBC_SHA
           TLS_RSA_WITH_DES_CBC_SHA
           compression methods
                     NULL
   1 2  0.0051 (0.0045)  S>C  Handshake
         ServerHello
           Version 3.1
           session_id[32]=
             78 cb 98 1f af c6 ee 9a b3 be 26 c0 48 4e 63 e9
             a3 9f 51 d9 53 99 6a 11 27 a8 4c c6 45 d7 4d e8
           cipherSuite         Unknown value 0x35

Anything leaps out to you folks as something I am doing blatantly
wrong?  While compiling the distribution, I in no way inhibited
the compilation of AES into the library, so it should be there
(at least the 'openssl ciphers' command appears to indicate that
AES support is in there).

Thanks for your help.

- vijay
--
Vijay K. Gurbani  vkg@{lucent.com,research.bell-labs.com,acm.org}
Lucent Technologies/Bell Laboratories, 2000 Lucent Lane, Rm 6G-440
Naperville, Illinois 60566     Voice: +1 630 224 0216
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]