why are some ssl_ciphers invalid

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

why are some ssl_ciphers invalid

jimmy-6
Hi,

Why is it that some ciphers like "DH-DSS-AES128-SHA", have
SSL_CIPHER.valid set to 0 in the table ssl3_cpihers?

Is there a specific reason?

Thanks,
jimmy
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: why are some ssl_ciphers invalid

Dr. Stephen Henson
On Fri, Feb 10, 2006, jimmy wrote:

> Hi,
>
> Why is it that some ciphers like "DH-DSS-AES128-SHA", have
> SSL_CIPHER.valid set to 0 in the table ssl3_cpihers?
>
> Is there a specific reason?
>

They require the use of DH certificates which OpenSSL doesn't support.

Very few people use them and I've only ever seen a handful of examples over
the years.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: why are some ssl_ciphers invalid

Kyle Hamilton
There's a HOWTO on how to create DH certificates with CA.pl; the
X.509/PKCS functions support them, but the SSL/TLS layer doesn't?

-Kyle H

On 2/10/06, Dr. Stephen Henson <[hidden email]> wrote:

> On Fri, Feb 10, 2006, jimmy wrote:
>
> > Hi,
> >
> > Why is it that some ciphers like "DH-DSS-AES128-SHA", have
> > SSL_CIPHER.valid set to 0 in the table ssl3_cpihers?
> >
> > Is there a specific reason?
> >
>
> They require the use of DH certificates which OpenSSL doesn't support.
>
> Very few people use them and I've only ever seen a handful of examples over
> the years.
>
> Steve.
> --
> Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
> OpenSSL project core developer and freelance consultant.
> Funding needed! Details on homepage.
> Homepage: http://www.drh-consultancy.demon.co.uk
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: why are some ssl_ciphers invalid

Dr. Stephen Henson
On Fri, Feb 10, 2006, Kyle Hamilton wrote:

> There's a HOWTO on how to create DH certificates with CA.pl; the
> X.509/PKCS functions support them, but the SSL/TLS layer doesn't?
>

The openssl utility can be used to create DH *parameters* but there is no
support in the X509 library for DH *certificates*.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: why are some ssl_ciphers invalid

Wes Kussmaul

Dr. Stephen Henson wrote:
> On Fri, Feb 10, 2006, Kyle Hamilton wrote:

>>There's a HOWTO on how to create DH certificates with CA.pl; the
>>X.509/PKCS functions support them, but the SSL/TLS layer doesn't?


I assume DH = Diffie-Hellman?



--
Wes Kussmaul
CIO
The Village Group
738 Main Street
Waltham, MA 02451

781-647-7178


My uncle likes to say that the world’s biggest troubles started when the
serpent said, “Try this fruit, and by the way if a bunch of people
collectively calling themselves Arthur Andersen signs something it’s the
same as if a person named Arthur Andersen signed it.” I don’t get the
serpent and fruit part. Must be some Swiss mythology thing. He can be a
bit obscure.

                          P.K. Iggy
                          _How I Like Fixed The Internet_
                            (Tales from the Great Infodepression of 2009
                            and the prosperity that followed)


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]