OpenSSL 1.1.1 Support for DH Ciphers?

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenSSL 1.1.1 Support for DH Ciphers?

Rich Fought
The OpenSSL 1.1.1 ciphers manpage claims that some non-ephemeral DH
ciphers are supported:

TLS1.0:
DH-RSA-AES128-SHA
DH-RSA-AES256-SHA

TLS1.2:
DH-RSA-AES128-SHA256
DH-RSA-AES256-SHA256
DH-RSA-AES128-GCM-SHA256
DH-RSA-AES256-GCM-SHA256

However, I am unable to see them with openssl ciphers command

 > openssl ciphers -v -s DH

All I see are DHE ciphers.  DH is needed for compatibility with legacy
servers.

Are these only enabled via a compile time option?  Or is the
documentation incorrect?

Regards,
Rich


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL 1.1.1 Support for DH Ciphers?

Viktor Dukhovni
> On Jan 29, 2019, at 2:23 PM, Rich Fought <[hidden email]> wrote:
>
> The OpenSSL 1.1.1 ciphers manpage claims that some non-ephemeral DH ciphers are supported:
>
> TLS1.0:
> DH-RSA-AES128-SHA
> DH-RSA-AES256-SHA

The static DH and ECDH ciphers have been removed.

> TLS1.2:
> DH-RSA-AES128-SHA256
> DH-RSA-AES256-SHA256
> DH-RSA-AES128-GCM-SHA256
> DH-RSA-AES256-GCM-SHA256
>
> However, I am unable to see them with openssl ciphers command
>
> > openssl ciphers -v -s DH
>
> All I see are DHE ciphers.  DH is needed for compatibility with legacy servers.

They are NOT needed for compatibility with legacy servers.

> Are these only enabled via a compile time option?  Or is the documentation incorrect?

The documentation is likely out of date.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL 1.1.1 Support for DH Ciphers?

Kurt Roeckx
On Tue, Jan 29, 2019 at 02:42:48PM -0500, Viktor Dukhovni wrote:

> > On Jan 29, 2019, at 2:23 PM, Rich Fought <[hidden email]> wrote:
> >
> > The OpenSSL 1.1.1 ciphers manpage claims that some non-ephemeral DH ciphers are supported:
> >
> > TLS1.0:
> > DH-RSA-AES128-SHA
> > DH-RSA-AES256-SHA
>
> The static DH and ECDH ciphers have been removed.
>
> > TLS1.2:
> > DH-RSA-AES128-SHA256
> > DH-RSA-AES256-SHA256
> > DH-RSA-AES128-GCM-SHA256
> > DH-RSA-AES256-GCM-SHA256
> >
> > However, I am unable to see them with openssl ciphers command
> >
> > > openssl ciphers -v -s DH
> >
> > All I see are DHE ciphers.  DH is needed for compatibility with legacy servers.
>
> They are NOT needed for compatibility with legacy servers.

To clarify, the static DH has fixed DH parameters in the
certificate. Instead of generating the parameters on each
connection, it's fixed in the certificate. It's higly unlikely
that you have such certificates. They're very difficult to
actually generate. Other then some test certificates, I have never
seen any actual such certificate.

Even if you somehow managed to generate such certificate, both the
client and server would actually need to be set up to work with
static DH, and only static DH, which also seems unlikely.


Kurt

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL 1.1.1 Support for DH Ciphers?

OpenSSL - User mailing list
On 30/01/2019 00:11, Kurt Roeckx wrote:

> On Tue, Jan 29, 2019 at 02:42:48PM -0500, Viktor Dukhovni wrote:
>>> On Jan 29, 2019, at 2:23 PM, Rich Fought <[hidden email]> wrote:
>>>
>>> The OpenSSL 1.1.1 ciphers manpage claims that some non-ephemeral DH ciphers are supported:
>>>
>>> TLS1.0:
>>> DH-RSA-AES128-SHA
>>> DH-RSA-AES256-SHA
>> The static DH and ECDH ciphers have been removed.
>>
>>> TLS1.2:
>>> DH-RSA-AES128-SHA256
>>> DH-RSA-AES256-SHA256
>>> DH-RSA-AES128-GCM-SHA256
>>> DH-RSA-AES256-GCM-SHA256
>>>
>>> However, I am unable to see them with openssl ciphers command
>>>
>>>> openssl ciphers -v -s DH
>>> All I see are DHE ciphers.  DH is needed for compatibility with legacy servers.
>> They are NOT needed for compatibility with legacy servers.
> To clarify, the static DH has fixed DH parameters in the
> certificate. Instead of generating the parameters on each
> connection, it's fixed in the certificate. It's higly unlikely
> that you have such certificates. They're very difficult to
> actually generate. Other then some test certificates, I have never
> seen any actual such certificate.
>
> Even if you somehow managed to generate such certificate, both the
> client and server would actually need to be set up to work with
> static DH, and only static DH, which also seems unlikely.
>
At least when not using client certificates, no special client
configuration is needed (other than a non-crippled SSL library).

Server sends the DH parameters from the certificate.  Client
generates a random ephemeral key (just like with the DHE suites),
server "signs" finished message with something derived from the
shared DH result, thus proving it has the private DH key to
correctly complete the DH exchange.

A few SSL/TLS messages may be differently formatted than for DHE,
that's all.  Of cause the static DH suites provide no forward
secrecy after a private key breach, but that's no different
from the basic RSA suites.

Public CAs no longer issue DH certificates, so these will not be
found in public services that rely on the browser/mail/OS
certificate trusts, but they may still exist in private trust
contexts not constrained by browser politics.


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users