cipherlist with only tlsv1.3 ciphers reports error?

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

cipherlist with only tlsv1.3 ciphers reports error?

PGNet Dev-6
I suspect I've misunderstood usage of TLSv1.3 @

    https://www.openssl.org/blog/blog/2018/02/08/tlsv1.3/

Checking cipherlist for just TLSv1.3 ciphers FAILs here,

        openssl ciphers  -stdname -s -V 'TTLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384'
                Error in cipher list

but works if I add, e.g., 'ECDHE' group to the list

        openssl ciphers  -stdname -s -V 'TTLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:ECDHE'
                  0x13,0x02 - TLS_AES_256_GCM_SHA384 - TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
                  0x13,0x03 - TLS_CHACHA20_POLY1305_SHA256 - TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
                  0x13,0x01 - TLS_AES_128_GCM_SHA256 - TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
                  ...

Why doesn't the 1st attempt, without the group added, work?

Reply | Threaded
Open this post in threaded view
|

RE: cipherlist with only tlsv1.3 ciphers reports error?

Michael Wojcik
> From: openssl-users [mailto:[hidden email]] On Behalf Of
> PGNet Dev
> Sent: Friday, July 19, 2019 11:38
>
> Checking cipherlist for just TLSv1.3 ciphers FAILs here,
>
>       openssl ciphers  -stdname -s -V 'TTLS13-CHACHA20-POLY1305-
> SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384'
>               Error in cipher list

Works for me:

-----
$ openssl ciphers  -stdname -s -V 'TTLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384'
          0x13,0x02 - TLS_AES_256_GCM_SHA384 - TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
          0x13,0x03 - TLS_CHACHA20_POLY1305_SHA256 - TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
          0x13,0x01 - TLS_AES_128_GCM_SHA256 - TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD

$ openssl version -f -p
OpenSSL 1.1.1  11 Sep 2018
platform: VC-WIN64A
compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DOPENSSL_NO_AUTOLOAD_CONFIG
-----

Different OpenSSL release? (This particular openssl.exe executable is a bit old, obviously; I haven't bothered to update the one on this machine in a while.) Difference in build configuration? Configuration file difference?

--
Michael Wojcik
Distinguished Engineer, Micro Focus


Reply | Threaded
Open this post in threaded view
|

Re: cipherlist with only tlsv1.3 ciphers reports error?

PGNet Dev-6
> Works for me:

heh.  of COURSE it does!

sanity check here,

  openssl ciphers  -stdname -s -V 'TTLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384'

        Error in cipher list
        140042399306176:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl/ssl_lib.c:2549:


> Different OpenSSL release?

yes

openssl version
        OpenSSL 1.1.1c  28 May 2019

> Difference in build configuration?

yes

openssl version -f -p
        platform: linux-x86_64
        compiler: /usr/bin/gcc-9 -fPIC -pthread -m64 -Wa,--noexecstack -O3 -Wall -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fmessage-length=0 -grecord-gcc-switches -march=native -mtune=native -fno-common -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG -D_GNU_SOURCE -DOPENSSL_NO_BUF_FREELISTS -DOPENSSL_NO_HEARTBEATS -DPURIFY -DSSL_FORBID_ENULL -DTERMIO -O3 -Wall -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fmessage-length=0 -grecord-gcc-switches -march=native -mtune=native -D_FORTIFY_SOURCE=2

which is quite different than yours. the config which I start with

        ./config -v \
         --prefix=/usr/local/openssl11 \
         --openssldir=/usr/local/openssl11 \
         --libdir=lib64 \
         -D_GNU_SOURCE \
         -DOPENSSL_NO_BUF_FREELISTS \
         -DOPENSSL_NO_HEARTBEATS \
         -DPURIFY \
         -DSSL_FORBID_ENULL \
         -DTERMIO \
         -Wa,--noexecstack \
         -Wl,-z,relro,-z,now \
         -Wall \
         -Wl,-rpath=/usr/local/openssl11 \
         -fno-common \
         threads shared \
         no-comp no-zlib no-zlib-dynaemic \
         enable-ec_nistp_64_gcc_128 \
         no-sctp \
         no-idea \
         no-mdc2 \
         no-rc2 \
         no-rc5 \
         no-ssl3 \
         no-weak-ssl-ciphers \
         no-nextprotoneg

That, too, is 'old' (been in use for a loooong time ...), and probably can benefit from some clean-up.

As to what of that^ is causing my fail ... ? not immediately clear what the culprit is.

Before I start decomposing the config difference, anything obvious leap out at you?

> Configuration file difference?

which config file are you referring to?
Reply | Threaded
Open this post in threaded view
|

Re: cipherlist with only tlsv1.3 ciphers reports error?

Michael Wojcik
[Apologies if the formatting here is a little screwy. For the moment I have to use Outlook Web Interface, which is even more problematic than the standalone Outlook client.]

> > Different OpenSSL release?
 
> yes
 
>  openssl version
>         OpenSSL 1.1.1c  28 May 2019

Eh, that's probably it. I have the 1.1.1c sources here but haven't built it yet, on this machine. I'll give it a try over the weekend if I get a chance.

> > Difference in build configuration?
 
> yes

Nothing in your config stands out to me. I think it's some change introduced in 1.1.1c. If no one else on the list chimes in, I'll try debugging it once I have a chance.
 
> > Configuration file difference?
 
> which config file are you referring to?

The default OpenSSL configuration file. openssl.cnf, in the directory displayed by "openssl version -d". But I can't think offhand of anything in the configuration file that I'd expect to have this sort of effect. I don't think even engines would normally have any effect on cipher-list processing this way.

--
Michael Wojcik
Reply | Threaded
Open this post in threaded view
|

Re: cipherlist with only tlsv1.3 ciphers reports error?

PGNet Dev-6
In reply to this post by PGNet Dev-6
> Works for me:
> $ openssl ciphers  -stdname -s -V 'TTLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384'


simplifying to build defaults

        ./config -v \
         --prefix=/usr/local/ssl-test \
         --openssldir=/usr/local/ssl-test \
         --libdir=lib64 \
         -Wl,-rpath=/usr/local/ssl-test/lib64
        make depend
        make

builds with no apparent errors.

tests pass

        make test
                ...
                All tests successful.
                Files=155, Tests=1410, 187 wallclock secs ( 7.50 usr  1.48 sys + 159.26 cusr 37.30 csys = 205.54 CPU)
                Result: PASS
                make[1]: Leaving directory '/usr/local/src/openssl11/openssl-1.1.1c'

and after install

        make install_sw

reports

        /usr/local/ssl-test/bin/openssl version
                OpenSSL 1.1.1c  28 May 2019

        /usr/local/ssl-test/bin/openssl version -f -p
                platform: linux-x86_64
                compiler: /usr/bin/gcc-9 -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG

        ldd /usr/local/ssl-test/bin/openssl
                linux-vdso.so.1 (0x00007ffe91be9000)
                libssl.so.1.1 => /usr/local/ssl-test/lib64/libssl.so.1.1 (0x00007f5e52c96000)
                libcrypto.so.1.1 => /usr/local/ssl-test/lib64/libcrypto.so.1.1 (0x00007f5e527b0000)
                libdl.so.2 => /lib64/libdl.so.2 (0x00007f5e525ac000)
                libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f5e5238e000)
                libc.so.6 => /lib64/libc.so.6 (0x00007f5e51fd4000)
                /lib64/ld-linux-x86-64.so.2 (0x00007f5e531df000)

still fails as above,

        /usr/local/ssl-test/bin/openssl ciphers -v 'TTLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384'

                Error in cipher list
                139704422536256:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl/ssl_lib.c:2549:

        /usr/local/ssl-test/bin/openssl ciphers -v ECDHE-ECDSA-AES256-GCM-SHA384
                TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
                TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
                TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
                ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD


also, checking the DISTRO-build,

        /usr/bin/openssl version
                OpenSSL 1.1.0i-fips  14 Aug 2018

fails too,

        /usr/bin/openssl ciphers -v 'TTLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384'
                Error in cipher list
                140437655795520:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl/ssl_lib.c:2193:


Reply | Threaded
Open this post in threaded view
|

Re: cipherlist with only tlsv1.3 ciphers reports error?

PGNet Dev-6
>>> Configuration file difference?
>  
>> which config file are you referring to?
>
> The default OpenSSL configuration file. openssl.cnf, in the directory displayed by "openssl version -d". But I can't think offhand of anything in the configuration file that I'd expect to have this sort of effect. I don't think even engines would normally have any effect on cipher-list processing this way.

fyi, here

/usr/bin/openssl version -v
        OpenSSL 1.1.0i-fips  14 Aug 2018
/usr/bin/openssl version -d
        OPENSSLDIR: "/etc/ssl"
find /etc/ssl -type f | grep cnf
        /etc/ssl/openssl.cnf

/usr/local/ssl-test/bin/openssl version -v
        OpenSSL 1.1.1c  28 May 2019
/usr/local/ssl-test/bin/openssl version -d
        OPENSSLDIR: "/usr/local/ssl-test"
find /usr/local/ssl-test -type f | grep cnf
        (empty)


Reply | Threaded
Open this post in threaded view
|

Re: cipherlist with only tlsv1.3 ciphers reports error?

Viktor Dukhovni
In reply to this post by PGNet Dev-6
On Fri, Jul 19, 2019 at 10:38:19AM -0700, PGNet Dev wrote:

> I suspect I've misunderstood usage of TLSv1.3 @
>
>     https://www.openssl.org/blog/blog/2018/02/08/tlsv1.3/
>
> Checking cipherlist for just TLSv1.3 ciphers FAILs here,
>
> openssl ciphers  -stdname -s -V 'TTLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384'
> Error in cipher list

This is expected.  Try:

    openssl ciphers -tls1_3 -stdname -s -V -ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256' 'aNULL'

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: cipherlist with only tlsv1.3 ciphers reports error?

PGNet Dev-6
Hi,

On 7/20/19 7:28 AM, Viktor Dukhovni wrote:

> On Fri, Jul 19, 2019 at 10:38:19AM -0700, PGNet Dev wrote:
>
>> I suspect I've misunderstood usage of TLSv1.3 @
>>
>>      https://www.openssl.org/blog/blog/2018/02/08/tlsv1.3/
>>
>> Checking cipherlist for just TLSv1.3 ciphers FAILs here,
>>
>> openssl ciphers  -stdname -s -V 'TTLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384'
>> Error in cipher list
>
> This is expected.  Try:
>
>      openssl ciphers -tls1_3 -stdname -s -V -ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256' 'aNULL'
>


That works here,

openssl ciphers -tls1_3 -stdname -s -V -ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256' 'aNULL'
          0x13,0x02 - TLS_AES_256_GCM_SHA384 - TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
          0x13,0x03 - TLS_CHACHA20_POLY1305_SHA256 - TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD

Can you clarify WHY that's expected?

Atm, it's inclear why it's working for Michael Wojcik ... different version?  something's changed?

And, in webserver ssl_cipher configs, specifying ONLY the tls13 ciphersuites fires a config error.  Until I add a group, e.g. ECDHE, as well, to the spec.
If this^^ is 'expected', is that, then, actually an error?

Reply | Threaded
Open this post in threaded view
|

Re: cipherlist with only tlsv1.3 ciphers reports error?

Viktor Dukhovni
On Sat, Jul 20, 2019 at 07:35:49AM -0700, PGNet Dev wrote:

> >> Checking cipherlist for just TLSv1.3 ciphers FAILs here,
> >>
> >> openssl ciphers  -stdname -s -V 'TTLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384'
> >> Error in cipher list
> >
> > This is expected.  Try:
> >
> >      openssl ciphers -tls1_3 -stdname -s -V -ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256' 'aNULL'

TLS 1.3 cipher code points are fundamentally different from TLS 1.0–1.2
cipher codepoints.  You can't use any of the former in TLS 1.2 nor any
of the latter in TLS 1.3.  Many users specify a restricted set of TLS
1.2 ciphers, and if there was only one global cipherlist, they would
as a result disable TLS 1.3 entirely.

For the above and related reasons, in OpenSSL 1.1.1 the TLS 1.3 ciphersuite
codepoints are managed separately from the TLS 1.0–1.2 cipher codepoints.

In the ciphers(1) command, the final argument is the desired TLS 1.0–1.2
ciphers, while the "-ciphersuites" option selects the TLS 1.3 code points.

> Can you clarify WHY that's expected?

What's expected is that listing the TLS 1.3 ciphersuite names in
the final argument that specifies TLS 1.2 ciphers will produce an
error (empty set of ciphers).

> Atm, it's inclear why it's working for Michael Wojcik ... different version?
> something's changed?

I am discounting his report of success.  The full set of TLS 1.3
ciphers is enabled by default.  If he did not use the -ciphersuites
option, he was overriding just the 1.2 code points, and somehow
managed to ultimately list just the TLS 1.3 code points.   He
also had a typo in the command he posted.  It is not pertinent.

> And, in webserver ssl_cipher configs, specifying ONLY the tls13 ciphersuites
> fires a config error.  Until I add a group, e.g. ECDHE, as well, to the
> spec.

This is expected.  That "ssl_cipher" setting controls ONLY the TLS 1.2
cipherlist.  To enable only the TLS 1.3 *protocol*, change the settings
that control the protocol versions, not the ciphers.

> If this^^ is 'expected', is that, then, actually an error?

No.  You've just not read the documentation carefully.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: cipherlist with only tlsv1.3 ciphers reports error?

PGNet Dev-6
On 7/20/19 8:17 AM, Viktor Dukhovni wrote:

> On Sat, Jul 20, 2019 at 07:35:49AM -0700, PGNet Dev wrote:
>
>>>> Checking cipherlist for just TLSv1.3 ciphers FAILs here,
>>>>
>>>> openssl ciphers  -stdname -s -V 'TTLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384'
>>>> Error in cipher list
>>>
>>> This is expected.  Try:
>>>
>>>       openssl ciphers -tls1_3 -stdname -s -V -ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256' 'aNULL'
>
> TLS 1.3 cipher code points are fundamentally different from TLS 1.0–1.2

Thanks, mostly clear now.

> You've just not read the documentation carefully.

You're possibly making some not-necessarily valid assumptions about
who's read what, with what level of 'care', and the clarity of the
written documents ...

Reply | Threaded
Open this post in threaded view
|

RE: cipherlist with only tlsv1.3 ciphers reports error?

Michael Wojcik
In reply to this post by Viktor Dukhovni
> From: openssl-users [mailto:[hidden email]] On Behalf Of
> Viktor Dukhovni
> Sent: Saturday, July 20, 2019 09:18
>
> > Atm, it's inclear why it's working for Michael Wojcik ... different
> version?
> > something's changed?
>
> I am discounting his report of success.  The full set of TLS 1.3
> ciphers is enabled by default.  If he did not use the -ciphersuites
> option, he was overriding just the 1.2 code points, and somehow
> managed to ultimately list just the TLS 1.3 code points.   He
> also had a typo in the command he posted.  It is not pertinent.

Shrug. I copied and pasted the command from PGNet Dev's email, and copied and pasted the result into my email. (I thought "TTLS" was a typo, but when the command worked as presented in the original email, didn't investigate further.) What I posted is nothing more or less than what the openssl executable currently on my system returns for that command.

Clearly that build of 1.1.1 does not work the way you expect.

That said, I'm no longer interested in *why* it doesn't. That's not the OpenSSL build we're shipping in any current product, and the configuration mechanism for the products I'm responsible for works as expected; that is, our tests confirm that the product is enabling both the configured TLSv1.3 suites and the configured pre-1.3 suites, on both client and server sides. I will, of course, save copies of Viktor's notes, since they contain important information about the operation of the ciphers command.

--
Michael Wojcik
Distinguished Engineer, Micro Focus