Quantcast

Disable ETM in OpenSSL 1.1.0+

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Disable ETM in OpenSSL 1.1.0+

Michael Shirley

It appears that starting with OpenSSL 1.1.0, it is not possible to disable the Encrypt-Then-MAC (ETM) TLS extension for CBC ciphers. Is there an undocumented method to do this, which would also allow me to use the built-in s_server/s_client test mechanism?

 

Thanks,

-Mike

 

Michael Shirley
Senior Test Engineer
Office: (512) 498-7038 | Mobile:(512) 965-9004 
mshirley@...

s_logo_esig2.png

  itter_logo_esig_sm.png  nkedin_logo_esig_sm.png


P Strategic Guidance Learn More

 

 


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Disable ETM in OpenSSL 1.1.0+

Matt Caswell-2


On 16/01/17 14:14, Michael Shirley wrote:
> It appears that starting with OpenSSL 1.1.0, it is not possible to
> disable the Encrypt-Then-MAC (ETM) TLS extension for CBC ciphers. Is
> there an undocumented method to do this, which would also allow me to
> use the built-in s_server/s_client test mechanism?

This is a new feature in 1.1.0 that is on by default. Unfortunately
there is no way to disable it. That capability has since been added to
the master branch (so will be in 1.1.1) via this commit:

commit cde6145ba19a2fce039cf054a89e49f67c623c59
Author:     David Woodhouse <[hidden email]>
AuthorDate: Fri Oct 14 00:26:38 2016 +0100
Commit:     Matt Caswell <[hidden email]>
CommitDate: Mon Oct 17 23:17:39 2016 +0100

    Add SSL_OP_NO_ENCRYPT_THEN_MAC

    Reviewed-by: Tim Hudson <[hidden email]>
    Reviewed-by: Matt Caswell <[hidden email]>


Matt
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Disable ETM in OpenSSL 1.1.0+

Michael Shirley
I tested the master branch that adds this capability, but I’m apparently not using the right combination of flags to turn it off – when I attempt s_client/s_server in the 1.1.1dev branch, I’m still seeing the ETM extension offered and negotiated for CBC suites. What would be the correct method to disable ETM using the master branch?

Thanks,
-Mike

On 1/16/17, 9:00 AM, "openssl-users on behalf of Matt Caswell" <[hidden email] on behalf of [hidden email]> wrote:

   
   
    On 16/01/17 14:14, Michael Shirley wrote:
    > It appears that starting with OpenSSL 1.1.0, it is not possible to
    > disable the Encrypt-Then-MAC (ETM) TLS extension for CBC ciphers. Is
    > there an undocumented method to do this, which would also allow me to
    > use the built-in s_server/s_client test mechanism?
   
    This is a new feature in 1.1.0 that is on by default. Unfortunately
    there is no way to disable it. That capability has since been added to
    the master branch (so will be in 1.1.1) via this commit:
   
    commit cde6145ba19a2fce039cf054a89e49f67c623c59
    Author:     David Woodhouse <[hidden email]>
    AuthorDate: Fri Oct 14 00:26:38 2016 +0100
    Commit:     Matt Caswell <[hidden email]>
    CommitDate: Mon Oct 17 23:17:39 2016 +0100
   
        Add SSL_OP_NO_ENCRYPT_THEN_MAC
   
        Reviewed-by: Tim Hudson <[hidden email]>
        Reviewed-by: Matt Caswell <[hidden email]>
   
   
    Matt
    --
    openssl-users mailing list
    To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
   

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

smime.p7s (6K) Download Attachment
Loading...