AESCBC support in SSL

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

AESCBC support in SSL

ASHIQUE CK
Hi Sir,
Does SSL connection supports AESCBC ?
 I couldnot set AESCBC in "SSL_CTX_set_cipher_list" at client side or in "SSLCipherSuite" at apache server side. 

Thanks


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: AESCBC support in SSL

Viktor Dukhovni


> On Nov 16, 2018, at 7:45 AM, ASHIQUE CK <[hidden email]> wrote:
>
> Does SSL connection supports AESCBC?

Yes, but not under that name.

>  I could not set AESCBC in "SSL_CTX_set_cipher_list" at client side or in "SSLCipherSuite" at apache server side.

For example (constrained also to RSA and ECDHE to keep the list short):

  $ openssl ciphers -v 'AES128+aRSA+kECDHE:!AESGCM'
  ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256
  ECDHE-RSA-AES128-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1

There isn't a cipherlist property that specifically selects CBC, so to
get *only* CBC, you need to exclude AESGCM (and perhaps also AESCCM).

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: AESCBC support in SSL

ASHIQUE CK
Hi,
I had given all the cipher strings for  "SSL_CTX_set_cipher_list" which we get under the command 'openssl ciphers' that includes CBC, but any of them didnot worked. All of them showed the error "error:141640B5:SSL routines:tls_construct_client_hello:no ciphers available". I have used TLSv1_2 or SSLv23. 
Also I have tried setting  these strings for "SSLCipherSuite" at apache server configuration. But it makes no change for choosing the server default ciphersuit "ECDHE-RSA-AES256-GCM-SHA384".

Thanks

On Fri, Nov 16, 2018 at 9:15 PM Viktor Dukhovni <[hidden email]> wrote:


> On Nov 16, 2018, at 7:45 AM, ASHIQUE CK <[hidden email]> wrote:
>
> Does SSL connection supports AESCBC?

Yes, but not under that name.

>  I could not set AESCBC in "SSL_CTX_set_cipher_list" at client side or in "SSLCipherSuite" at apache server side.

For example (constrained also to RSA and ECDHE to keep the list short):

  $ openssl ciphers -v 'AES128+aRSA+kECDHE:!AESGCM'
  ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256
  ECDHE-RSA-AES128-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1

There isn't a cipherlist property that specifically selects CBC, so to
get *only* CBC, you need to exclude AESGCM (and perhaps also AESCCM).

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: AESCBC support in SSL

ASHIQUE CK
Is it the problem with that strings or  TLS/SSL version or any other ?

On Mon, Nov 19, 2018 at 11:12 AM ASHIQUE CK <[hidden email]> wrote:
Hi,
I had given all the cipher strings for  "SSL_CTX_set_cipher_list" which we get under the command 'openssl ciphers' that includes CBC, but any of them didnot worked. All of them showed the error "error:141640B5:SSL routines:tls_construct_client_hello:no ciphers available". I have used TLSv1_2 or SSLv23. 
Also I have tried setting  these strings for "SSLCipherSuite" at apache server configuration. But it makes no change for choosing the server default ciphersuit "ECDHE-RSA-AES256-GCM-SHA384".

Thanks

On Fri, Nov 16, 2018 at 9:15 PM Viktor Dukhovni <[hidden email]> wrote:


> On Nov 16, 2018, at 7:45 AM, ASHIQUE CK <[hidden email]> wrote:
>
> Does SSL connection supports AESCBC?

Yes, but not under that name.

>  I could not set AESCBC in "SSL_CTX_set_cipher_list" at client side or in "SSLCipherSuite" at apache server side.

For example (constrained also to RSA and ECDHE to keep the list short):

  $ openssl ciphers -v 'AES128+aRSA+kECDHE:!AESGCM'
  ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256
  ECDHE-RSA-AES128-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1

There isn't a cipherlist property that specifically selects CBC, so to
get *only* CBC, you need to exclude AESGCM (and perhaps also AESCCM).

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: AESCBC support in SSL

Dmitry Belyavsky-3
Do you use any RedHat-based OS?

On Mon, Nov 19, 2018 at 8:54 AM ASHIQUE CK <[hidden email]> wrote:
Is it the problem with that strings or  TLS/SSL version or any other ?

On Mon, Nov 19, 2018 at 11:12 AM ASHIQUE CK <[hidden email]> wrote:
Hi,
I had given all the cipher strings for  "SSL_CTX_set_cipher_list" which we get under the command 'openssl ciphers' that includes CBC, but any of them didnot worked. All of them showed the error "error:141640B5:SSL routines:tls_construct_client_hello:no ciphers available". I have used TLSv1_2 or SSLv23. 
Also I have tried setting  these strings for "SSLCipherSuite" at apache server configuration. But it makes no change for choosing the server default ciphersuit "ECDHE-RSA-AES256-GCM-SHA384".

Thanks

On Fri, Nov 16, 2018 at 9:15 PM Viktor Dukhovni <[hidden email]> wrote:


> On Nov 16, 2018, at 7:45 AM, ASHIQUE CK <[hidden email]> wrote:
>
> Does SSL connection supports AESCBC?

Yes, but not under that name.

>  I could not set AESCBC in "SSL_CTX_set_cipher_list" at client side or in "SSLCipherSuite" at apache server side.

For example (constrained also to RSA and ECDHE to keep the list short):

  $ openssl ciphers -v 'AES128+aRSA+kECDHE:!AESGCM'
  ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256
  ECDHE-RSA-AES128-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1

There isn't a cipherlist property that specifically selects CBC, so to
get *only* CBC, you need to exclude AESGCM (and perhaps also AESCCM).

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


--
SY, Dmitry Belyavsky

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: AESCBC support in SSL

ASHIQUE CK
No, We use Ubuntu 16.04 OS

On Mon, Nov 19, 2018 at 11:34 AM Dmitry Belyavsky <[hidden email]> wrote:
Do you use any RedHat-based OS?

On Mon, Nov 19, 2018 at 8:54 AM ASHIQUE CK <[hidden email]> wrote:
Is it the problem with that strings or  TLS/SSL version or any other ?

On Mon, Nov 19, 2018 at 11:12 AM ASHIQUE CK <[hidden email]> wrote:
Hi,
I had given all the cipher strings for  "SSL_CTX_set_cipher_list" which we get under the command 'openssl ciphers' that includes CBC, but any of them didnot worked. All of them showed the error "error:141640B5:SSL routines:tls_construct_client_hello:no ciphers available". I have used TLSv1_2 or SSLv23. 
Also I have tried setting  these strings for "SSLCipherSuite" at apache server configuration. But it makes no change for choosing the server default ciphersuit "ECDHE-RSA-AES256-GCM-SHA384".

Thanks

On Fri, Nov 16, 2018 at 9:15 PM Viktor Dukhovni <[hidden email]> wrote:


> On Nov 16, 2018, at 7:45 AM, ASHIQUE CK <[hidden email]> wrote:
>
> Does SSL connection supports AESCBC?

Yes, but not under that name.

>  I could not set AESCBC in "SSL_CTX_set_cipher_list" at client side or in "SSLCipherSuite" at apache server side.

For example (constrained also to RSA and ECDHE to keep the list short):

  $ openssl ciphers -v 'AES128+aRSA+kECDHE:!AESGCM'
  ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256
  ECDHE-RSA-AES128-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1

There isn't a cipherlist property that specifically selects CBC, so to
get *only* CBC, you need to exclude AESGCM (and perhaps also AESCCM).

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


--
SY, Dmitry Belyavsky
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: AESCBC support in SSL

ASHIQUE CK
Also I use OpenSSL 1.1.0h.

On Mon, Nov 19, 2018 at 11:36 AM ASHIQUE CK <[hidden email]> wrote:
No, We use Ubuntu 16.04 OS

On Mon, Nov 19, 2018 at 11:34 AM Dmitry Belyavsky <[hidden email]> wrote:
Do you use any RedHat-based OS?

On Mon, Nov 19, 2018 at 8:54 AM ASHIQUE CK <[hidden email]> wrote:
Is it the problem with that strings or  TLS/SSL version or any other ?

On Mon, Nov 19, 2018 at 11:12 AM ASHIQUE CK <[hidden email]> wrote:
Hi,
I had given all the cipher strings for  "SSL_CTX_set_cipher_list" which we get under the command 'openssl ciphers' that includes CBC, but any of them didnot worked. All of them showed the error "error:141640B5:SSL routines:tls_construct_client_hello:no ciphers available". I have used TLSv1_2 or SSLv23. 
Also I have tried setting  these strings for "SSLCipherSuite" at apache server configuration. But it makes no change for choosing the server default ciphersuit "ECDHE-RSA-AES256-GCM-SHA384".

Thanks

On Fri, Nov 16, 2018 at 9:15 PM Viktor Dukhovni <[hidden email]> wrote:


> On Nov 16, 2018, at 7:45 AM, ASHIQUE CK <[hidden email]> wrote:
>
> Does SSL connection supports AESCBC?

Yes, but not under that name.

>  I could not set AESCBC in "SSL_CTX_set_cipher_list" at client side or in "SSLCipherSuite" at apache server side.

For example (constrained also to RSA and ECDHE to keep the list short):

  $ openssl ciphers -v 'AES128+aRSA+kECDHE:!AESGCM'
  ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256
  ECDHE-RSA-AES128-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1

There isn't a cipherlist property that specifically selects CBC, so to
get *only* CBC, you need to exclude AESGCM (and perhaps also AESCCM).

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


--
SY, Dmitry Belyavsky
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: AESCBC support in SSL

ASHIQUE CK
Hi,
Any replys ?

On Mon, Nov 19, 2018 at 11:39 AM ASHIQUE CK <[hidden email]> wrote:
Also I use OpenSSL 1.1.0h.

On Mon, Nov 19, 2018 at 11:36 AM ASHIQUE CK <[hidden email]> wrote:
No, We use Ubuntu 16.04 OS

On Mon, Nov 19, 2018 at 11:34 AM Dmitry Belyavsky <[hidden email]> wrote:
Do you use any RedHat-based OS?

On Mon, Nov 19, 2018 at 8:54 AM ASHIQUE CK <[hidden email]> wrote:
Is it the problem with that strings or  TLS/SSL version or any other ?

On Mon, Nov 19, 2018 at 11:12 AM ASHIQUE CK <[hidden email]> wrote:
Hi,
I had given all the cipher strings for  "SSL_CTX_set_cipher_list" which we get under the command 'openssl ciphers' that includes CBC, but any of them didnot worked. All of them showed the error "error:141640B5:SSL routines:tls_construct_client_hello:no ciphers available". I have used TLSv1_2 or SSLv23. 
Also I have tried setting  these strings for "SSLCipherSuite" at apache server configuration. But it makes no change for choosing the server default ciphersuit "ECDHE-RSA-AES256-GCM-SHA384".

Thanks

On Fri, Nov 16, 2018 at 9:15 PM Viktor Dukhovni <[hidden email]> wrote:


> On Nov 16, 2018, at 7:45 AM, ASHIQUE CK <[hidden email]> wrote:
>
> Does SSL connection supports AESCBC?

Yes, but not under that name.

>  I could not set AESCBC in "SSL_CTX_set_cipher_list" at client side or in "SSLCipherSuite" at apache server side.

For example (constrained also to RSA and ECDHE to keep the list short):

  $ openssl ciphers -v 'AES128+aRSA+kECDHE:!AESGCM'
  ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256
  ECDHE-RSA-AES128-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1

There isn't a cipherlist property that specifically selects CBC, so to
get *only* CBC, you need to exclude AESGCM (and perhaps also AESCCM).

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


--
SY, Dmitry Belyavsky
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: AESCBC support in SSL

OpenSSL - User mailing list
I think you missed the following:

Because CBC is the oldest block cipher mode in SSL and
TLS, the cipher suites using CBC don't include the
letters "CBC" in their names.They simply don't mention
a different mode (such as GCM or CCM).

For example ECDHE-RSA-AES128-SHA uses AES128 in CBC mode.

On 20/11/2018 10:54, ASHIQUE CK wrote:

> Hi,
> Any replys ?
>
> On Mon, Nov 19, 2018 at 11:39 AM ASHIQUE CK <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     Also I use OpenSSL 1.1.0h.
>
>     On Mon, Nov 19, 2018 at 11:36 AM ASHIQUE CK
>     <[hidden email] <mailto:[hidden email]>> wrote:
>
>         No, We use Ubuntu 16.04 OS
>
>         On Mon, Nov 19, 2018 at 11:34 AM Dmitry Belyavsky
>         <[hidden email] <mailto:[hidden email]>> wrote:
>
>             Do you use any RedHat-based OS?
>
>             On Mon, Nov 19, 2018 at 8:54 AM ASHIQUE CK
>             <[hidden email] <mailto:[hidden email]>>
>             wrote:
>
>                 Is it the problem with that strings or  TLS/SSL
>                 version or any other ?
>
>                 On Mon, Nov 19, 2018 at 11:12 AM ASHIQUE CK
>                 <[hidden email]
>                 <mailto:[hidden email]>> wrote:
>
>                     Hi,
>                     I had given all the cipher strings
>                     for  "SSL_CTX_set_cipher_list" which we get under
>                     the command 'openssl ciphers' that includes CBC,
>                     but any of them didnot worked. All of them showed
>                     the error "error:141640B5:SSL
>                     routines:tls_construct_client_hello:no ciphers
>                     available". I have used TLSv1_2 or SSLv23.
>                     Also I have tried setting  these strings for
>                     "SSLCipherSuite" at apache server configuration.
>                     But it makes no change for choosing the server
>                     default ciphersuit "ECDHE-RSA-AES256-GCM-SHA384".
>
>                     Thanks
>
>                     On Fri, Nov 16, 2018 at 9:15 PM Viktor Dukhovni
>                     <[hidden email]
>                     <mailto:[hidden email]>> wrote:
>
>
>
>                         > On Nov 16, 2018, at 7:45 AM, ASHIQUE CK
>                         <[hidden email]
>                         <mailto:[hidden email]>> wrote:
>                         >
>                         > Does SSL connection supports AESCBC?
>
>                         Yes, but not under that name.
>
>                         >  I could not set AESCBC in
>                         "SSL_CTX_set_cipher_list" at client side or in
>                         "SSLCipherSuite" at apache server side.
>
>                         For example (constrained also to RSA and ECDHE
>                         to keep the list short):
>
>                           $ openssl ciphers -v
>                         'AES128+aRSA+kECDHE:!AESGCM'
>                           ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH
>                         Au=RSA Enc=AES(128) Mac=SHA256
>                           ECDHE-RSA-AES128-SHA TLSv1 Kx=ECDH Au=RSA
>                         Enc=AES(128) Mac=SHA1
>
>                         There isn't a cipherlist property that
>                         specifically selects CBC, so to
>                         get *only* CBC, you need to exclude AESGCM
>                         (and perhaps also AESCCM).
>
Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: AESCBC support in SSL

ASHIQUE CK
Thanks Jakob. Thanks a lot.

On Wed, Nov 21, 2018 at 10:58 PM Jakob Bohm via openssl-users <[hidden email]> wrote:
I think you missed the following:

Because CBC is the oldest block cipher mode in SSL and
TLS, the cipher suites using CBC don't include the
letters "CBC" in their names.They simply don't mention
a different mode (such as GCM or CCM).

For example ECDHE-RSA-AES128-SHA uses AES128 in CBC mode.

On 20/11/2018 10:54, ASHIQUE CK wrote:
> Hi,
> Any replys ?
>
> On Mon, Nov 19, 2018 at 11:39 AM ASHIQUE CK <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     Also I use OpenSSL 1.1.0h.
>
>     On Mon, Nov 19, 2018 at 11:36 AM ASHIQUE CK
>     <[hidden email] <mailto:[hidden email]>> wrote:
>
>         No, We use Ubuntu 16.04 OS
>
>         On Mon, Nov 19, 2018 at 11:34 AM Dmitry Belyavsky
>         <[hidden email] <mailto:[hidden email]>> wrote:
>
>             Do you use any RedHat-based OS?
>
>             On Mon, Nov 19, 2018 at 8:54 AM ASHIQUE CK
>             <[hidden email] <mailto:[hidden email]>>
>             wrote:
>
>                 Is it the problem with that strings or  TLS/SSL
>                 version or any other ?
>
>                 On Mon, Nov 19, 2018 at 11:12 AM ASHIQUE CK
>                 <[hidden email]
>                 <mailto:[hidden email]>> wrote:
>
>                     Hi,
>                     I had given all the cipher strings
>                     for  "SSL_CTX_set_cipher_list" which we get under
>                     the command 'openssl ciphers' that includes CBC,
>                     but any of them didnot worked. All of them showed
>                     the error "error:141640B5:SSL
>                     routines:tls_construct_client_hello:no ciphers
>                     available". I have used TLSv1_2 or SSLv23.
>                     Also I have tried setting  these strings for
>                     "SSLCipherSuite" at apache server configuration.
>                     But it makes no change for choosing the server
>                     default ciphersuit "ECDHE-RSA-AES256-GCM-SHA384".
>
>                     Thanks
>
>                     On Fri, Nov 16, 2018 at 9:15 PM Viktor Dukhovni
>                     <[hidden email]
>                     <mailto:[hidden email]>> wrote:
>
>
>
>                         > On Nov 16, 2018, at 7:45 AM, ASHIQUE CK
>                         <[hidden email]
>                         <mailto:[hidden email]>> wrote:
>                         >
>                         > Does SSL connection supports AESCBC?
>
>                         Yes, but not under that name.
>
>                         >  I could not set AESCBC in
>                         "SSL_CTX_set_cipher_list" at client side or in
>                         "SSLCipherSuite" at apache server side.
>
>                         For example (constrained also to RSA and ECDHE
>                         to keep the list short):
>
>                           $ openssl ciphers -v
>                         'AES128+aRSA+kECDHE:!AESGCM'
>                           ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH
>                         Au=RSA Enc=AES(128) Mac=SHA256
>                           ECDHE-RSA-AES128-SHA TLSv1 Kx=ECDH Au=RSA
>                         Enc=AES(128) Mac=SHA1
>
>                         There isn't a cipherlist property that
>                         specifically selects CBC, so to
>                         get *only* CBC, you need to exclude AESGCM
>                         (and perhaps also AESCCM).
>
Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users