AES Ciphers in OpenSSL 0.9.8a

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

AES Ciphers in OpenSSL 0.9.8a

Vijay K. Gurbani

I am trying to enable the following AES cipher suites in TLS:


I can get the last one, but cannot seem to get the first two.
Here is the SSL context being set up by the client (note the
cipher suite list string):

    SSL_CTX *ctx;

    ctx = SSL_CTX_new(SSLv23_method());
    if (ctx)
      SSL_CTX_set_options(ctx, SSL_OP_ALL|SSL_OP_NO_SSLv2);
    if (SSL_CTX_set_cipher_list(ctx,
        "ALL:!DH:!EXP:!RC4:@STRENGTH") != 1)

When I use the same cipher list from the "openssl" command
line, it appears that the ciphers are there (AES256-SHA and

$ openssl ciphers -v 'ALL:!DH:!EXP:!RC4:@STRENGTH'
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
DES-CBC3-MD5            SSLv2 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=MD5
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
IDEA-CBC-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=IDEA(128) Mac=SHA1
IDEA-CBC-MD5            SSLv2 Kx=RSA      Au=RSA  Enc=IDEA(128) Mac=MD5
RC2-CBC-MD5             SSLv2 Kx=RSA      Au=RSA  Enc=RC2(128)  Mac=MD5
DES-CBC-SHA             SSLv3 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=SHA1
DES-CBC-MD5             SSLv2 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=MD5

Here is a dump from ssldump (note the two "Unknown value"
ciphers; they appear to correspond to AES_256 and AES_128):

   New TCP connection #1: <->
   1 1  0.0006 (0.0006)  C>S  Handshake
           Version 3.1
           cipher suites
           Unknown value 0x35
           Unknown value 0x2f
           compression methods
   1 2  0.0051 (0.0045)  S>C  Handshake
           Version 3.1
             78 cb 98 1f af c6 ee 9a b3 be 26 c0 48 4e 63 e9
             a3 9f 51 d9 53 99 6a 11 27 a8 4c c6 45 d7 4d e8
           cipherSuite         Unknown value 0x35

Anything leaps out to you folks as something I am doing blatantly
wrong?  While compiling the distribution, I in no way inhibited
the compilation of AES into the library, so it should be there
(at least the 'openssl ciphers' command appears to indicate that
AES support is in there).

Thanks for your help.

- vijay
Vijay K. Gurbani  vkg@{,,}
Lucent Technologies/Bell Laboratories, 2000 Lucent Lane, Rm 6G-440
Naperville, Illinois 60566     Voice: +1 630 224 0216
OpenSSL Project                       
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]