Re: cipherlist with only tlsv1.3 ciphers reports error?

Fri, 19 Jul 2019 12:49:44 -0700 

> Works for me:

heh.  of COURSE it does!

sanity check here,

  openssl ciphers  -stdname -s -V 
'TTLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384'

        Error in cipher list
        140042399306176:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no 
cipher match:ssl/ssl_lib.c:2549:


> Different OpenSSL release?

yes

openssl version
        OpenSSL 1.1.1c  28 May 2019

> Difference in build configuration?

yes

openssl version -f -p
        platform: linux-x86_64
        compiler: /usr/bin/gcc-9 -fPIC -pthread -m64 -Wa,--noexecstack -O3 
-Wall -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables 
-fmessage-length=0 -grecord-gcc-switches -march=native -mtune=native 
-fno-common -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ 
-DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 
-DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM 
-DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM 
-DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG -D_GNU_SOURCE 
-DOPENSSL_NO_BUF_FREELISTS -DOPENSSL_NO_HEARTBEATS -DPURIFY -DSSL_FORBID_ENULL 
-DTERMIO -O3 -Wall -fstack-protector-strong -funwind-tables 
-fasynchronous-unwind-tables -fmessage-length=0 -grecord-gcc-switches 
-march=native -mtune=native -D_FORTIFY_SOURCE=2

which is quite different than yours. the config which I start with

        ./config -v \
         --prefix=/usr/local/openssl11 \
         --openssldir=/usr/local/openssl11 \
         --libdir=lib64 \
         -D_GNU_SOURCE \
         -DOPENSSL_NO_BUF_FREELISTS \
         -DOPENSSL_NO_HEARTBEATS \
         -DPURIFY \
         -DSSL_FORBID_ENULL \
         -DTERMIO \
         -Wa,--noexecstack \
         -Wl,-z,relro,-z,now \
         -Wall \
         -Wl,-rpath=/usr/local/openssl11 \
         -fno-common \
         threads shared \
         no-comp no-zlib no-zlib-dynaemic \
         enable-ec_nistp_64_gcc_128 \
         no-sctp \
         no-idea \
         no-mdc2 \
         no-rc2 \
         no-rc5 \
         no-ssl3 \
         no-weak-ssl-ciphers \
         no-nextprotoneg

That, too, is 'old' (been in use for a loooong time ...), and probably can 
benefit from some clean-up.

As to what of that^ is causing my fail ... ? not immediately clear what the 
culprit is.

Before I start decomposing the config difference, anything obvious leap out at 
you?

> Configuration file difference?

which config file are you referring to?

Reply via email to