After some debugging (exactly as mentioned above) it appears that the cipher suite does not show up in the ClientHello using the s_client/s_server. I modified the cipher for testing to use 512 bits instead of 64 so that it is ranked highest. Error server side: SSL routines:tls_post_process_client_hello:no shared cipher:ssl/statem/statem_srvr.c:1979 Error Client side: SSL routines:ssl3_read_bytes:tlsv1 alert internal error:ssl/record/rec_layer_s3.c:1469:SSL alert number 80 Any idea why the cipher would appear under the list of supported tls1.2 ciphers, yet it does not appear under the ClientHello even if specified with the -cipher option?
Hmm... it's not clear why the cipher isn't being sent in client hello. What output do you get with -security_debug_verbose option? Also try including @SECLEVEL=0 in the cipher string. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org
The -security_debug_verbose option confirmed it was not being sent in the client hello. Here is the s_server command used:
openssl s_server -accept 6000 -tls1_2 -cert ./cert.pem -key ./key.pem -state -debug -msg -security_debug_verbose -cipher 'ECDHE-RSA-MYCIPHER-SHA256:@SECLEVEL=0'
Using default temp DH parameters
And the s_client:
openssl s_client -connect localhost:6000 -tls1_2 -state -debug -msg -security_debug_verbose -cipher 'ECDHE-RSA-MYCIPHER-SHA256:@SECLEVEL=0'
CONNECTED(00000003)However, when viewing the supported ciphers, the cipher I'm attempting to integrate shows up as the first option in priority.
openssl ciphers -s -v
It seems as though when the priority list of ciphers available is being created (I think its the ssl_create_cipher_list on line 1283 ssl/ssl_ciph.c) the newly created cipher is not being built up in the list... maybe? Because when I execute s_server/s_client without specifying a cipher it shows the following list server side:
So I think if I can find where and how the above list is being created (I assume this list is generated both client and server side), then I think I'm close to being able to use this new cipher in SSL.
Thank you again for your expertise on this.
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
|Free forum by Nabble||Edit this page|