jburel wrote:Hi
For clarification,
the ADH ciphers will be in the list of ciphers but if you execute for example
- Code: Select all
openssl s_client -cipher "$cipher" -connect localhost:4064
where $cipher is any ADH cipher. An error will be returned indicating "no ciphers available".
This is obviously not the case in previous versions.
We will have to find what is the correct value to specify.
Cheers
Jmarie
I looked into this again and seems that 'openssl ciphers' shows all
available ciphers ignoring configured security level. For that, one
needs the '-s' option which then indeed shows an empty set:
- Code: Select all
$ openssl ciphers 'ADH'
ADH-AES256-GCM-SHA384:ADH-AES128-GCM-SHA256:ADH-AES256-SHA256:ADH-CAMELLIA256-SHA256:ADH-AES128-SHA256:ADH-CAMELLIA128-SHA256:ADH-AES256-SHA:ADH-CAMELLIA256-SHA:ADH-AES128-SHA:ADH-SEED-SHA:ADH-CAMELLIA128-SHA
$ openssl ciphers -s 'ADH'
$
That pointed out the issue. OpenSSL has this security level thing
which defaults to 1. There are 6 levels, from 0 to 5, ranging from
everything is permitted (level0), to 256 bits of security (level 5).
ADH ciphers are considered insecure and so are in security level 0.
The documentation recognises that a security level to 0 would provide
compatibility with previous versions of OpenSSL. See:
https://mta.openssl.org/pipermail/opens ... 03959.html
https://www.openssl.org/docs/man1.1.0/s ... level.html
By adding '@SECLEVEL=0' to the cipher list it works again (cost of
lowering security level). So now, this works:
- Code: Select all
$ openssl s_client -cipher 'ADH' -connect omero1.bioch.ox.ac.uk:4064
CONNECTED(00000003)
140461783069952:error:141640B5:SSL routines:tls_construct_client_hello:no ciphers available:../ssl/statem/statem_clnt.c:800:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1497522688
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
$ openssl s_client -cipher 'ADH;@SECLEVEL=0' -connect omero1.bioch.ox.ac.uk:4064
CONNECTED(00000003)
---
no peer certificate available
---
No client certificate CA names sent
Server Temp Key: DH, 1024 bits
---
SSL handshake has read 573 bytes and written 320 bytes
Verification: OK
---
New, SSLv3, Cipher is ADH-AES256-SHA
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : ADH-AES256-SHA
Session-ID: 2F92930B2CA1BDFA6CBE09E5127BCB2C0A751B2A9C71F3F73C4A488E17411282
Session-ID-ctx:
Master-Key: D510ECF2585C5E1C6BCEE658D0924A2AB02A34D3222F8777418F5431C15FA5D04A77DED87B2084A503B280BAB963EF60
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 3a 6e 0b 34 25 34 b3 b0-67 01 6d b9 a2 9e 3c d1 :n.4%4..g.m...<.
0010 - e9 2f 39 05 ff 40 58 c3-34 c9 74 d7 12 96 24 35 ./9..@X.4.t...$5
0020 - 3b 37 c8 b6 2c fb 75 2c-fe 6b 59 1f 0b af 95 ae ;7..,.u,.kY.....
0030 - 61 f2 ae c5 87 30 2f 3b-25 eb 5f 8d 54 2a 9b 9e a....0/;%._.T*..
0040 - 8a 8e 7b b5 d5 2d 9e 65-5b 83 ab f9 26 0d 11 64 ..{..-.e[...&..d
0050 - e5 87 16 14 81 3f da 8e-88 38 4c 41 8b cd a1 29 .....?...8LA...)
0060 - 9a 3c e2 a2 5e 6b 9f 4c-9f 0a e8 fb ad 7e f3 54 .<..^k.L.....~.T
0070 - 22 12 bc 12 5c fb 16 7d-0c 55 f5 fe 37 db 1f b8 "...\..}.U..7...
0080 - c5 b7 3e bc c9 90 5a 4f-79 47 0d e2 68 4e 49 9d ..>...ZOyG..hNI.
0090 - e3 aa cc e0 05 87 ec 4b-13 d8 08 3a 24 fc a9 89 .......K...:$...
Start Time: 1497522697
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
IceP