How does cipher selection and TLS protocol negotiation interact

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

How does cipher selection and TLS protocol negotiation interact

Erik Forsberg-11
I have a weird case that I cannot properly explain.
Using OpenSSL 1.0.1c for both client and server, I was testing various
combinations of ciphers and protocol version requests.

Basically, the server uses SSLv23_server_method().
The client code uses SSLv23_client_method() and SSL_OP_NO_SSLv2

Then, if I have the following cipher list (which I have used for a long
time)
TLSv1+HIGH:!CAMELLIA:!SSLv2:RC4+MEDIUM:!MD5:!aNULL:!eNULL:@STRENGTH
(same for client and server side)

I always get a SSLv3 connection, regardless what client asks for.

Changing the cipher list to (removing the TLSv1)
HIGH:!CAMELLIA:!SSLv2:RC4+MEDIUM:!MD5:!aNULL:!eNULL:@STRENGTH

I start getting TLS1.2 connections. Question is, in the first case,
why dont I get a TLSv1 connection ? Furthermore, high strength
ciphers from TLSv1 should still be usable for TLS 1.1 and 1.2, so
why dont I get a TLS1.2 connection in the first case ?


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: How does cipher selection and TLS protocol negotiation interact

Erik Forsberg-11
To answer my own question, seems the code that generates the
SSL_CIPHER_description() output does not make any difference between SSLv3,
TLSv1.0
and TLSv1.1. Only TLSv1.2 is displayed as such. So in my case, I probably
did have a TLSv1 connection. Confusing ...

A followup question, is it correct that TLSv1 in the cipher string disables
TLSv1.2 ciphers ? I didnt expect that.

>-- Original Message --
>Date: Fri, 15 Jun 2012 14:34:27 -0700
>From: "Erik Forsberg" <[hidden email]>
>Subject: How does cipher selection and TLS protocol negotiation interact
>To: [hidden email]
>Reply-To: [hidden email]
>
>
>I have a weird case that I cannot properly explain.
>Using OpenSSL 1.0.1c for both client and server, I was testing various
>combinations of ciphers and protocol version requests.
>
>Basically, the server uses SSLv23_server_method().
>The client code uses SSLv23_client_method() and SSL_OP_NO_SSLv2
>
>Then, if I have the following cipher list (which I have used for a long
>time)
>TLSv1+HIGH:!CAMELLIA:!SSLv2:RC4+MEDIUM:!MD5:!aNULL:!eNULL:@STRENGTH
>(same for client and server side)
>
>I always get a SSLv3 connection, regardless what client asks for.
>
>Changing the cipher list to (removing the TLSv1)
>HIGH:!CAMELLIA:!SSLv2:RC4+MEDIUM:!MD5:!aNULL:!eNULL:@STRENGTH
>
>I start getting TLS1.2 connections. Question is, in the first case,
>why dont I get a TLSv1 connection ? Furthermore, high strength
>ciphers from TLSv1 should still be usable for TLS 1.1 and 1.2, so
>why dont I get a TLS1.2 connection in the first case ?
>
>
>______________________________________________________________________
>OpenSSL Project                                 http://www.openssl.org
>User Support Mailing List                    [hidden email]
>Automated List Manager                           [hidden email]


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: How does cipher selection and TLS protocol negotiation interact

Dr. Stephen Henson
On Fri, Jun 15, 2012, Erik Forsberg wrote:

> To answer my own question, seems the code that generates the
> SSL_CIPHER_description() output does not make any difference between SSLv3,
> TLSv1.0
> and TLSv1.1. Only TLSv1.2 is displayed as such. So in my case, I probably
> did have a TLSv1 connection. Confusing ...
>
> A followup question, is it correct that TLSv1 in the cipher string disables
> TLSv1.2 ciphers ? I didnt expect that.
>

The cipher string doesn't make any difference to the version of SSL/TLS
negotiated[*]. The TLSv1 string includes ciphers which can be used for TLS 1.0
and above so specifying it means TLS v1.2 can be negotiated. There isn't
currently a TLS 1.2 option for the cipherstring, though that will be fixed at
some point.

Steve.
* There is an exception to this relating to the deprecated SSLv2 protocol and
OpenSSL 1.0 and later. If no SSLv2 ciphers are included in the cipherstring
(the default now excludes them) then SSLv2 will not be negotaited and the "TLS
client hello in an SSLv2 client hello" is not sent. This effectively disables
SSL v2.0 by default and means compression and extensions can be used.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]