> [runningdoglac...@yahoo.com - Fri May 04 11:18:52 2012]: > > There are two groups of four ciphersuites that I think have mismatched > key exchange cipherlist labels. > > The first four are DH-DSS ciphersuites with which don't seem to be > enabled, but as long as they are in the table perhaps they ought to be > corrected. > This patch changes Kx in those instances from kDHr to kDHd > (ciphersuites 3e, 68, a4, a5) > > The second four are in ECDH-RSA ciphersuites which can be seen in > 1.0.1b with > openssl ciphers "kECDHe" -v | grep RSA > ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH > Enc=AESGCM(256) Mac=AEAD > ECDH-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256) > Mac=SHA384 > ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH > Enc=AESGCM(128) Mac=AEAD > ECDH-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128) > Mac=SHA256 > > This patch changes Kx in those instances from kECDHe to kECDHr. > (ciphersuites c029, c02a, c031, c032) > >
Thanks for the patch this will be corrected. The DH-DSS ciphersuites are enabled in OpenSSL 1.0.2 and later. Fortunately this error wont affect interoperability as the signature algorithm part of the ciphersuite is not used in TLS v1.2 Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org