Ciphers: disabling

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Ciphers: disabling

Serhiy Ivanov
Tried to turn off one cipher via:
#!/bin/bash
make clean && ./config -no-CAMELLIA-128-CBC && make depend && make

But still cannot turn it off (as i see output of openssl
list-cipher-algorithms or even
./apps/openssl list-cipher-algorithms for new compiled client). I
don't see way to really turn off ciphers. Hoew to turn them off

--
kind regards,

Serhiy Ivanov
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Ciphers: disabling

Jeffrey Walton-3
On Wed, Jan 9, 2013 at 7:02 AM, Serhiy Ivanov
<[hidden email]> wrote:
> Tried to turn off one cipher via:
> #!/bin/bash
> make clean && ./config -no-CAMELLIA-128-CBC && make depend && make
Try make dclean

Jeff
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Ciphers: disabling

J. J. Farrell-2
In reply to this post by Serhiy Ivanov
> From: Serhiy Ivanov [mailto:[hidden email]]
> Sent: Wednesday, January 09, 2013 12:03 PM
>
> Tried to turn off one cipher via:
> #!/bin/bash
> make clean && ./config -no-CAMELLIA-128-CBC && make depend && make
>
> But still cannot turn it off (as i see output of openssl
> list-cipher-algorithms or even
> ./apps/openssl list-cipher-algorithms for new compiled client). I
> don't see way to really turn off ciphers. Hoew to turn them off

Follow the style specified in the INSTALL file - -no-camellia should disable all Camellia ciphers. I'm not aware of any easy way to disable individual cipher suites at library build time.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Ciphers: disabling

Serhiy Ivanov
Thanx for pointin out for more detailed description. Tried actually
with no-camelia flag and had error:
#error CAMELLIA is disabled
from ./crypto/camellia/camellia.h.
I didn't know that i also should manually remove that directory after
"make depend".

On Wed, Jan 9, 2013 at 7:23 PM, Jeremy Farrell
<[hidden email]> wrote:

>> From: Serhiy Ivanov [mailto:[hidden email]]
>> Sent: Wednesday, January 09, 2013 12:03 PM
>>
>> Tried to turn off one cipher via:
>> #!/bin/bash
>> make clean && ./config -no-CAMELLIA-128-CBC && make depend && make
>>
>> But still cannot turn it off (as i see output of openssl
>> list-cipher-algorithms or even
>> ./apps/openssl list-cipher-algorithms for new compiled client). I
>> don't see way to really turn off ciphers. Hoew to turn them off
>
> Follow the style specified in the INSTALL file - -no-camellia should disable all Camellia ciphers. I'm not aware of any easy way to disable individual cipher suites at library build time.
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]



--
kind regards,

Serhiy Ivanov| "Jungo team" developer, Lviv
GlobalLogic Inc. | Innovation by Design
ARGENTINA | CHILE | CHINA | INDIA | ISRAEL | UKRAINE | UK | USA
Office:  | Mobile: +380500635254 | skype: icegood1980
www.globallogic.com
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Ciphers: disabling

Serhiy Ivanov
Tried to turn off everything i can:

#!/bin/bash
make clean && make dclean && ./config no-threads no-shared no-zlib \
  no-camellia no-bf no-cast no-des no-dh no-dsa no-mac no-md2 no-mdc2 no-rc2 \
  no-rc4 no-rc5 no-rsa no-krb5
make depend
make
# no-sha  no-md5
#  make && make install
# -no-CAMELLIA-128-CBC no-md5  no-rsa no-dsa
Obtained: d1_srtp.c:229:44: error: ‘SSL_CTX’ has no member named ‘srtp_profiles’
srtp_profiles definede under context #ifndef OPENSSL_NO_TLSEXT in ssl.h
while code is turned on  under #ifndef OPENSSL_NO_SRTP
what's wrong?
--
kind regards,

Serhiy Ivanov
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Ciphers: disabling

Serhiy Ivanov
After turning off all ciphers i implicitly turned off whole TLS1:
#ifndef OPENSSL_NO_TLS1
# define OPENSSL_NO_TLS1
#endif
#ifndef OPENSSL_NO_TLSEXT
# define OPENSSL_NO_TLSEXT
#endif
- in my opensslconf.h
So, which cipher should remain i.e. which of them corresponds to
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA in punt 9 of RFC 2246?
--
kind regards,

Serhiy Ivanov
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]