Server(TomCat) disconnect client(ECDHE-RSA-AES128-SHA) openssl-1.1.1c

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Server(TomCat) disconnect client(ECDHE-RSA-AES128-SHA) openssl-1.1.1c

Ranier VF
Hi,
I have a trouble with use of openssl-1.1.1c when connects with homologacao.sefaz.mt.gov.br:

Server Cipher suites:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   ECDH secp256r1
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH secp256r1
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

Client is setup with:
SSL_set_cipher_list(tls, "ALL")

Server disconnects connection.

1.Why, session cipher select by client is: ECDHE-RSA-AES128-SHA
2.How configure client to use server ciphers?

Logs:
DTLS: no
protocol: TLSv1.3
cipher name: (NONE)
DTLS: no
protocol: TLSv1.3
cipher name: (NONE)
SSL_connect:before SSL initialization
DTLS: no
protocol: TLSv1.2
cipher name: (NONE)
SSL_connect:SSLv3/TLS write client hello
DTLS: no
protocol: TLSv1.2
cipher name: (NONE)
SSL_connect:SSLv3/TLS write client hello
DTLS: no
protocol: TLSv1.2
cipher name: (NONE)
SSL_connect:SSLv3/TLS read server hello
DTLS: no
protocol: TLSv1.2
cipher name: (NONE)
SSL_connect:SSLv3/TLS read server certificate
DTLS: no
protocol: TLSv1.2
cipher name: (NONE)
SSL_connect:SSLv3/TLS read server key exchange
DTLS: no
protocol: TLSv1.2
cipher name: (NONE)
SSL_connect:SSLv3/TLS read server done
DTLS: no
protocol: TLSv1.2
cipher name: (NONE)
SSL_connect:SSLv3/TLS write client key exchange
DTLS: no
protocol: TLSv1.2
cipher name: ECDHE-RSA-AES128-SHA
SSL_connect:SSLv3/TLS write change cipher spec
DTLS: no
protocol: TLSv1.2
cipher name: ECDHE-RSA-AES128-SHA
SSL_connect:SSLv3/TLS write finished
DTLS: no
protocol: TLSv1.2
cipher name: ECDHE-RSA-AES128-SHA
SSL_connect:SSLv3/TLS write finished
DTLS: no
protocol: TLSv1.2
cipher name: ECDHE-RSA-AES128-SHA
SSL_connect:SSLv3/TLS read change cipher spec
DTLS: no
protocol: TLSv1.2
cipher name: ECDHE-RSA-AES128-SHA
SSL_connect:SSLv3/TLS read finished
DTLS: no
protocol: TLSv1.2
cipher name: ECDHE-RSA-AES128-SHA
DTLS: no
protocol: TLSv1.2
cipher name: ECDHE-RSA-AES128-SHA
DTLS: no
protocol: TLSv1.2
cipher name: ECDHE-RSA-AES128-SHA
DTLS: no
protocol: TLSv1.2
cipher name: ECDHE-RSA-AES128-SHA
SSL_connect:SSL negotiation finished successfully
DTLS: no
protocol: TLSv1.2
cipher name: ECDHE-RSA-AES128-SHA
SSL_connect:SSL negotiation finished successfully
DTLS: no
protocol: TLSv1.2
cipher name: ECDHE-RSA-AES128-SHA
SSL_connect:SSLv3/TLS read hello request
DTLS: no
protocol: TLSv1.2
cipher name: ECDHE-RSA-AES128-SHA
SSL_connect:SSLv3/TLS write client hello
DTLS: no
protocol: TLSv1.2
cipher name: ECDHE-RSA-AES128-SHA
SSL_connect:SSLv3/TLS write client hello
DTLS: no
protocol: TLSv1.2
cipher name: (NONE)
SSL_connect:SSLv3/TLS read server hello
DTLS: no
protocol: TLSv1.2
cipher name: (NONE)
SSL_connect:SSLv3/TLS read server certificate
DTLS: no
protocol: TLSv1.2
cipher name: (NONE)
SSL_connect:SSLv3/TLS read server key exchange
DTLS: no
protocol: TLSv1.2
cipher name: (NONE)
SSL_connect:SSLv3/TLS read server certificate request
DTLS: no
protocol: TLSv1.2
cipher name: (NONE)
SSL_connect:SSLv3/TLS read server done
DTLS: no
protocol: TLSv1.2
cipher name: (NONE)
SSL_connect:SSLv3/TLS write client certificate
DTLS: no
protocol: TLSv1.2
cipher name: (NONE)
SSL_connect:SSLv3/TLS write client key exchange
DTLS: no
protocol: TLSv1.2
cipher name: (NONE)
SSL_connect:SSLv3/TLS write certificate verify
DTLS: no
protocol: TLSv1.2
cipher name: ECDHE-RSA-AES128-SHA
SSL_connect:SSLv3/TLS write change cipher spec
DTLS: no
protocol: TLSv1.2
cipher name: ECDHE-RSA-AES128-SHA
SSL_connect:SSLv3/TLS write finished
DTLS: no
protocol: TLSv1.2
cipher name: ECDHE-RSA-AES128-SHA
SSL3 alert read:fatal:handshake failure
DTLS: no
protocol: TLSv1.2
cipher name: ECDHE-RSA-AES128-SHA
SSL_connect:error in error
SSL_read failed::
WSAError: 0
SSL State: SSLERR
SSL Error: -1 1 error:00000001:lib(0):func(0):reason(1)
SSL Error: -1 336151568 error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure

SSL_connect:before SSL initialization
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS read server hello
SSL_connect:SSLv3/TLS read server certificate
SSL_connect:SSLv3/TLS read server key exchange
SSL_connect:SSLv3/TLS read server done
SSL_connect:SSLv3/TLS write client key exchange
SSL_connect:SSLv3/TLS write change cipher spec
SSL_connect:SSLv3/TLS write finished
SSL_connect:SSLv3/TLS write finished
SSL_connect:SSLv3/TLS read change cipher spec
DTLS: no
protocol: TLSv1.2
cipher name: ECDHE-RSA-AES128-SHA
SSL_connect:SSLv3/TLS read finished
SSL_read failed::
WSAError: 10054
SSL State: SSLOK
SSL Error: -1 5 error:00000005:lib(0):func(0):DH lib
Reply | Threaded
Open this post in threaded view
|

RE: Server(TomCat) disconnect client(ECDHE-RSA-AES128-SHA) openssl-1.1.1c

Ranier VF
Hi,
There a list ciphers compiled in openssl-1.11.c
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA

None support CBC.
How compile openssl with CBC support?

best regards
Ranier Vilela

________________________________________
De: Ranier VF
Enviado: segunda-feira, 19 de agosto de 2019 17:30
Para: [hidden email]
Assunto: Server(TomCat) disconnect client(ECDHE-RSA-AES128-SHA) openssl-1.1.1c

Hi,
I have a trouble with use of openssl-1.1.1c when connects with homologacao.sefaz.mt.gov.br:

Server Cipher suites:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   ECDH secp256r1
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH secp256r1
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

Client is setup with:
SSL_set_cipher_list(tls, "ALL")

Server disconnects connection.

1.Why, session cipher select by client is: ECDHE-RSA-AES128-SHA
2.How configure client to use server ciphers?

Logs:
DTLS: no
protocol: TLSv1.3
cipher name: (NONE)
DTLS: no
protocol: TLSv1.3
cipher name: (NONE)
SSL_connect:before SSL initialization
DTLS: no
protocol: TLSv1.2
cipher name: (NONE)
SSL_connect:SSLv3/TLS write client hello
DTLS: no
protocol: TLSv1.2
cipher name: (NONE)
SSL_connect:SSLv3/TLS write client hello
DTLS: no
protocol: TLSv1.2
cipher name: (NONE)
SSL_connect:SSLv3/TLS read server hello
DTLS: no
protocol: TLSv1.2
cipher name: (NONE)
SSL_connect:SSLv3/TLS read server certificate
DTLS: no
protocol: TLSv1.2
cipher name: (NONE)
SSL_connect:SSLv3/TLS read server key exchange
DTLS: no
protocol: TLSv1.2
cipher name: (NONE)
SSL_connect:SSLv3/TLS read server done
DTLS: no
protocol: TLSv1.2
cipher name: (NONE)
SSL_connect:SSLv3/TLS write client key exchange
DTLS: no
protocol: TLSv1.2
cipher name: ECDHE-RSA-AES128-SHA
SSL_connect:SSLv3/TLS write change cipher spec
DTLS: no
protocol: TLSv1.2
cipher name: ECDHE-RSA-AES128-SHA
SSL_connect:SSLv3/TLS write finished
DTLS: no
protocol: TLSv1.2
cipher name: ECDHE-RSA-AES128-SHA
SSL_connect:SSLv3/TLS write finished
DTLS: no
protocol: TLSv1.2
cipher name: ECDHE-RSA-AES128-SHA
SSL_connect:SSLv3/TLS read change cipher spec
DTLS: no
protocol: TLSv1.2
cipher name: ECDHE-RSA-AES128-SHA
SSL_connect:SSLv3/TLS read finished
DTLS: no
protocol: TLSv1.2
cipher name: ECDHE-RSA-AES128-SHA
DTLS: no
protocol: TLSv1.2
cipher name: ECDHE-RSA-AES128-SHA
DTLS: no
protocol: TLSv1.2
cipher name: ECDHE-RSA-AES128-SHA
DTLS: no
protocol: TLSv1.2
cipher name: ECDHE-RSA-AES128-SHA
SSL_connect:SSL negotiation finished successfully
DTLS: no
protocol: TLSv1.2
cipher name: ECDHE-RSA-AES128-SHA
SSL_connect:SSL negotiation finished successfully
DTLS: no
protocol: TLSv1.2
cipher name: ECDHE-RSA-AES128-SHA
SSL_connect:SSLv3/TLS read hello request
DTLS: no
protocol: TLSv1.2
cipher name: ECDHE-RSA-AES128-SHA
SSL_connect:SSLv3/TLS write client hello
DTLS: no
protocol: TLSv1.2
cipher name: ECDHE-RSA-AES128-SHA
SSL_connect:SSLv3/TLS write client hello
DTLS: no
protocol: TLSv1.2
cipher name: (NONE)
SSL_connect:SSLv3/TLS read server hello
DTLS: no
protocol: TLSv1.2
cipher name: (NONE)
SSL_connect:SSLv3/TLS read server certificate
DTLS: no
protocol: TLSv1.2
cipher name: (NONE)
SSL_connect:SSLv3/TLS read server key exchange
DTLS: no
protocol: TLSv1.2
cipher name: (NONE)
SSL_connect:SSLv3/TLS read server certificate request
DTLS: no
protocol: TLSv1.2
cipher name: (NONE)
SSL_connect:SSLv3/TLS read server done
DTLS: no
protocol: TLSv1.2
cipher name: (NONE)
SSL_connect:SSLv3/TLS write client certificate
DTLS: no
protocol: TLSv1.2
cipher name: (NONE)
SSL_connect:SSLv3/TLS write client key exchange
DTLS: no
protocol: TLSv1.2
cipher name: (NONE)
SSL_connect:SSLv3/TLS write certificate verify
DTLS: no
protocol: TLSv1.2
cipher name: ECDHE-RSA-AES128-SHA
SSL_connect:SSLv3/TLS write change cipher spec
DTLS: no
protocol: TLSv1.2
cipher name: ECDHE-RSA-AES128-SHA
SSL_connect:SSLv3/TLS write finished
DTLS: no
protocol: TLSv1.2
cipher name: ECDHE-RSA-AES128-SHA
SSL3 alert read:fatal:handshake failure
DTLS: no
protocol: TLSv1.2
cipher name: ECDHE-RSA-AES128-SHA
SSL_connect:error in error
SSL_read failed::
WSAError: 0
SSL State: SSLERR
SSL Error: -1 1 error:00000001:lib(0):func(0):reason(1)
SSL Error: -1 336151568 error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure

SSL_connect:before SSL initialization
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS read server hello
SSL_connect:SSLv3/TLS read server certificate
SSL_connect:SSLv3/TLS read server key exchange
SSL_connect:SSLv3/TLS read server done
SSL_connect:SSLv3/TLS write client key exchange
SSL_connect:SSLv3/TLS write change cipher spec
SSL_connect:SSLv3/TLS write finished
SSL_connect:SSLv3/TLS write finished
SSL_connect:SSLv3/TLS read change cipher spec
DTLS: no
protocol: TLSv1.2
cipher name: ECDHE-RSA-AES128-SHA
SSL_connect:SSLv3/TLS read finished
SSL_read failed::
WSAError: 10054
SSL State: SSLOK
SSL Error: -1 5 error:00000005:lib(0):func(0):DH lib