[openssl-users] Openssl connects with Des-Cbc-sha in tls1. 2

2016-11-30 Thread vishnu raju 
Hi all,
I am getting connection success in a tls1.2 connection with Des-Cbc-sha
cipher.  But upto my knowledge this cipher is depreciated on tls1.2.
Thanks for your help.

Regards,
Vishnu
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Return type of SSL_ctrl

2016-11-30 Thread Salz, Rich 
> (Does OpenSSL support any platform in which type int is 16 bits?)

No.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Return type of SSL_ctrl

2016-11-30 Thread Ludwig, Mark 
> From: Salz, Rich, Wednesday, November 30, 2016 9:38 AM
> 
> > We're moving up to OpenSSL 1.0.2j from OpenSSL 0.9.8, and
> > noticed that the SSL functions based on SSL_ctrl() changed from returning
> > type int to returning type long.
> 
> The "proper" answer is to not use long, but rather sized types, which we are
> slowly moving toward.

Funny you should mention this, because this topic arose
internally after someone decided to change the return type
of SSL_ctrl() to intprt_t.  I have no idea why, since as far
as I can tell, all of the return values would fit in a
32-bit integer; thus my question about why it was changed to
long, which is either 32 bits or 64 bits, depending on
platform.  I suspect it was the use of long that tricked someone 
into thinking it might be holding a pointer, and thus led to the 
change to intptr_t, so it would fit on Windows.  (Blind/stupid
global replacement.)

(Does OpenSSL support any platform in which type int is 16 bits?)

Thanks,
Mark

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Return type of SSL_ctrl

2016-11-30 Thread Salz, Rich 
> We're moving up to OpenSSL 1.0.2j from OpenSSL 0.9.8, and
> noticed that the SSL functions based on SSL_ctrl() changed from returning
> type int to returning type long.

The when and the why is probably lost to history.  Doing 'git log' and looking 
for SSL_ctrl doesn't show anything.

Oh well.

The "proper" answer is to not use long, but rather sized types, which we are 
slowly moving toward.
--  
Senior Architect, Akamai Technologies
Member, OpenSSL Dev Team
IM: richs...@jabber.at Twitter: RichSalz

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Return type of SSL_ctrl

2016-11-30 Thread Ludwig, Mark 
Greetings,

We're moving up to OpenSSL 1.0.2j from OpenSSL 0.9.8, and noticed 
that the SSL 
functions based on SSL_ctrl() changed from returning type int to returning type 
long.

It's not clear why this is necessary, by spot-checking the documented numerical 
domain of the 
return values of the SSL functions (macros) deriving from SSL_ctrl().  Why was 
this done?

(I don't see mention of this in the CHANGES file.)

Thanks,

Mark Ludwig

Siemens Product Lifecycle Management Software Inc.
Communications and Government Affairs
Product Lifecycle Management
Lifecycle Coll
5939 Rice Creek Parkway
Shoreview, MN  55126 United States 
Tel.  :+1 (651) 855-6140
Fax  :+1 (651) 855-6280
ludwig.m...@siemens.com 
www.siemens.com/plm 

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] When ciphers are deprecated?

2016-11-30 Thread Mattia Rossi 
Thanks Matt,

it's all i need!

2016-11-30 10:58 GMT+01:00 Matt Caswell :
>
>
> On 30/11/16 09:35, Mattia Rossi wrote:
>> Hi all,
>>
>> After updating from 1.0.2h to 1.0.2j some of my PHP script is broken,
>> because it can't connect to the server, after some research the server
>> supports very old TLSv1.0 ciphers.
>>
>> So i check what ciphers PHP query for and with different versions of
>> openssl i get different result, so in libssl 1.0.2h i have these
>> chipers:
>> - EDH-RSA-DES-CBC3-SHA
>> - DES-CBC3-SHA
>>
>> In the last version i haven't.
>>
>> Where is the information when ciphers are dropped? and why?
>
> These ciphers have not been dropped in 1.0.2, but reclassified from the
> "HIGH" cipherstring keyword to the "MEDIUM" cipherstring keyword. Major
> changes such as these are normally described in the CHANGES file:
>
> https://github.com/openssl/openssl/blob/OpenSSL_1_0_2-stable/CHANGES
>
> In this case, the following entry is relevant:
>
>
>   *) In order to mitigate the SWEET32 attack, the DES ciphers were moved
> from
>  HIGH to MEDIUM.
>
>  This issue was reported to OpenSSL Karthikeyan Bhargavan and Gaetan
>  Leurent (INRIA)
>  (CVE-2016-2183)
>  [Rich Salz]
>
>
> You can read more about SWEET32 here:
>
> https://www.openssl.org/blog/blog/2016/08/24/sweet32/
>
> Matt
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] When ciphers are deprecated?

2016-11-30 Thread Matt Caswell 


On 30/11/16 09:35, Mattia Rossi wrote:
> Hi all,
> 
> After updating from 1.0.2h to 1.0.2j some of my PHP script is broken,
> because it can't connect to the server, after some research the server
> supports very old TLSv1.0 ciphers.
> 
> So i check what ciphers PHP query for and with different versions of
> openssl i get different result, so in libssl 1.0.2h i have these
> chipers:
> - EDH-RSA-DES-CBC3-SHA
> - DES-CBC3-SHA
> 
> In the last version i haven't.
> 
> Where is the information when ciphers are dropped? and why?

These ciphers have not been dropped in 1.0.2, but reclassified from the
"HIGH" cipherstring keyword to the "MEDIUM" cipherstring keyword. Major
changes such as these are normally described in the CHANGES file:

https://github.com/openssl/openssl/blob/OpenSSL_1_0_2-stable/CHANGES

In this case, the following entry is relevant:


  *) In order to mitigate the SWEET32 attack, the DES ciphers were moved
from
 HIGH to MEDIUM.

 This issue was reported to OpenSSL Karthikeyan Bhargavan and Gaetan
 Leurent (INRIA)
 (CVE-2016-2183)
 [Rich Salz]


You can read more about SWEET32 here:

https://www.openssl.org/blog/blog/2016/08/24/sweet32/

Matt
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] When ciphers are deprecated?

2016-11-30 Thread Mattia Rossi 
Hi all,

After updating from 1.0.2h to 1.0.2j some of my PHP script is broken,
because it can't connect to the server, after some research the server
supports very old TLSv1.0 ciphers.

So i check what ciphers PHP query for and with different versions of
openssl i get different result, so in libssl 1.0.2h i have these
chipers:
- EDH-RSA-DES-CBC3-SHA
- DES-CBC3-SHA

In the last version i haven't.

Where is the information when ciphers are dropped? and why?

Thanks!
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users