openssl-1.0.1c issue: invalid command:ssl_ciph.c:1170:

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

openssl-1.0.1c issue: invalid command:ssl_ciph.c:1170:

Sameer Stephen

Hi,

 

I am building an application which needs TLSv1.2 protocol. I am getting following issues with openssl-1.0.1c version:

 

Issue 1: openssl command errors out

 

=> openssl ciphers -v 'TLSv1.2'

Error in cipher list

47767988151392:error:140E6118:SSL routines:SSL_CIPHER_PROCESS_RULESTR:invalid command:ssl_ciph.c:1170:

 

=>openssl ciphers -v  'TLSv1.2+HIGH:!AESGCM:!aNULL:!eNULL'

Error in cipher list

47393772139616:error:140E6118:SSL routines:SSL_CIPHER_PROCESS_RULESTR:invalid command:ssl_ciph.c:1170:

 

 

Issue 2: SSL_CTX_set_cipher_list function errors out

 

    if (!SSL_CTX_set_cipher_list(SSL_context, "TLSv1.2+HIGH:!AESGCM:!aNULL:!eNULL")) // Function return 0 on error

    {

        printf("Can't set cipher list\n");

    }

 

In openssl-1.0.1e version both the issues go away. Is this a bug? Is there any way to fix the issue without upgrading the openssl library to new version?

 

Sam

 

 

DISCLAIMER ========== This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails.

Reply | Threaded
Open this post in threaded view
|

Re: openssl-1.0.1c issue: invalid command:ssl_ciph.c:1170:

Jakob Bohm-7
On 4/4/2013 11:53 AM, Sameer Stephen wrote:

> Hi,
>
> I am building an application which needs TLSv1.2 protocol. I am getting
> following issues with openssl-1.0.1c version:
>
> Issue 1: openssl command errors out
>
> => openssl ciphers -v 'TLSv1.2'
>
> Error in cipher list
>
> 47767988151392:error:140E6118:SSL
> routines:SSL_CIPHER_PROCESS_RULESTR:invalid command:ssl_ciph.c:1170:
>
> =>openssl ciphers -v  'TLSv1.2+HIGH:!AESGCM:!aNULL:!eNULL'
>
> Error in cipher list
>
> 47393772139616:error:140E6118:SSL
> routines:SSL_CIPHER_PROCESS_RULESTR:invalid command:ssl_ciph.c:1170:
>
> Issue 2: SSL_CTX_set_cipher_list function errors out
>
>      if (!SSL_CTX_set_cipher_list(SSL_context,
> "TLSv1.2+HIGH:!AESGCM:!aNULL:!eNULL")) // Function return 0 on error
>
>      {
>
>          printf("Can't set cipher list\n");
>
>      }
>
> In openssl-1.0.1e version both the issues go away. Is this a bug? Is
> there any way to fix the issue without upgrading the openssl library to
> new version?
>

Yes it was a bug.

No, 1.0.1 to 1.0.1d contain known security holes in the SSL code and
should not be used for SSL operations, which is the reason why 1.0.1e
was released at all.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: openssl-1.0.1c issue: invalid command:ssl_ciph.c:1170:

ken@bitzermobile.com
In reply to this post by Sameer Stephen
TLS is a protocol, and not a cipher. just enter openssl ciphers and you will see no protocols are returned.
Your question doesn't sound right, as I use 1.0.1c on windows, iOS, and android FIPS/Non FIPS with no issues the last year. Can you share a bit more information? platform? handshake code, etc?

Reply | Threaded
Open this post in threaded view
|

RE: openssl-1.0.1c issue: invalid command:ssl_ciph.c:1170:

Dave Thompson-5
> From: [hidden email] On Behalf Of [hidden email]
> Sent: Monday, 08 April, 2013 18:07

> TLS is a protocol, and not a cipher. just enter openssl
> ciphers and you will
> see no protocols are returned.

In addition to specific ciphers (suites) _set_cipher_list
accepts a number of "abbreviations": RSA for all suites
using akRSA, AES for all suites using AES, etc. TLSv1.2
should work this way and as Jakob said it has been fixed.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]