Re: [openssl-users] Diffie-Hellman Questions
> NO, Rich is making a mistake, ADH is ephemeral of necessity, since without > long-term keys in certificates it is impossible to use long-term keys whose > disclosure might later compromise confidentiality. Except that your code can always use the same keypair if it screws up the callback. And that's what I meant. But Viktor's advice is spot-on. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Diffie-Hellman Questions
Yes, it's only required on the server. Norm Green On 5/25/16 14:10, Jeremy Farrell wrote: Interesting; is this a server-side requirement? I ask because with 1.0.2g my client using "AECDH+AES:ADH+AES" makes a TLS 1.2 connection with AECDH-AES256-SHA without calling this function or similar. Regards, jjf On 25/05/2016 21:31, Norm Green wrote: Yes! That was the problem. In order to use cipher "AECDH", SSL_CTX_set_ecdh_auto(ctx, 1) must be called first. Thanks Michael!! Norm On 5/24/16 15:52, Michael Wojcik wrote: From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Norm Green Sent: Tuesday, May 24, 2016 13:40 I've tried both: SSL_CTX_set_cipher_list("AECDH") and: SSL_CTX_set_cipher_list("AECDH-AES256-SHA") on both the client and server side, both of which result in the dreaded "no shared cipher" error: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher:s3_srvr.c:1417: You might run a wire trace to see what suites the client is actually advertising. And you are using TLS, right? For AECDH* (or any ECC suite), don't you have to tell OpenSSL what curve to use? I haven't implemented that bit myself in any applications, but my understanding is that with OpenSSL 1.0.2 you can just call SSL_CTX_set_ecdh_auto(ctx, 1). With 1.0.1 you have to specify a particular named curve with SSL_CTX_set_tmp_ecdh. -- J. J. Farrell Not speaking for Oracle -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Diffie-Hellman Questions
Interesting; is this a server-side requirement? I ask because with 1.0.2g my client using "AECDH+AES:ADH+AES" makes a TLS 1.2 connection with AECDH-AES256-SHA without calling this function or similar. Regards, jjf On 25/05/2016 21:31, Norm Green wrote: Yes! That was the problem. In order to use cipher "AECDH", SSL_CTX_set_ecdh_auto(ctx, 1) must be called first. Thanks Michael!! Norm On 5/24/16 15:52, Michael Wojcik wrote: From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Norm Green Sent: Tuesday, May 24, 2016 13:40 I've tried both: SSL_CTX_set_cipher_list("AECDH") and: SSL_CTX_set_cipher_list("AECDH-AES256-SHA") on both the client and server side, both of which result in the dreaded "no shared cipher" error: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher:s3_srvr.c:1417: You might run a wire trace to see what suites the client is actually advertising. And you are using TLS, right? For AECDH* (or any ECC suite), don't you have to tell OpenSSL what curve to use? I haven't implemented that bit myself in any applications, but my understanding is that with OpenSSL 1.0.2 you can just call SSL_CTX_set_ecdh_auto(ctx, 1). With 1.0.1 you have to specify a particular named curve with SSL_CTX_set_tmp_ecdh. -- J. J. Farrell Not speaking for Oracle -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Diffie-Hellman Questions
On Tue, May 24, 2016 at 05:45:56PM +, Salz, Rich wrote: > > >./openssl ciphers -v 'ALL:aNULL' |grep ECDH |grep "Au=None" > > AECDH-AES256-SHASSLv3 Kx=ECDH Au=None Enc=AES(256) Mac=SHA1 > > AECDH-AES128-SHASSLv3 Kx=ECDH Au=None Enc=AES(128) Mac=SHA1 > > AECDH-RC4-SHA SSLv3 Kx=ECDH Au=None Enc=RC4(128) Mac=SHA1 > > AECDH-DES-CBC3-SHA SSLv3 Kx=ECDH Au=None Enc=3DES(168) Mac=SHA1 > > AECDH-NULL-SHA SSLv3 Kx=ECDH Au=None Enc=None Mac=SHA1 > > > > 1) What arg to SSL_CTX_set_cipher_list() to I need to use to get these? > > I previously tried "kEECDH:kEDH" and that didn't work. > > Use one of the names in the first column. No. To avoid overly-specific settings: # To insist on anon ciphersuites: OpenSSL 1.0.x: ALL+aNULL OpenSSL 1.1.x: ALL+aNULL:@SECLEVEL=0 # To prefer anon ciphersuites: OpenSSL 1.0.x: aNULL:-aNULL:ALL OpenSSL 1.1.x: aNULL:-aNULL:ALL:@SECLEVEL=0 # To tolerate anon ciphersuites without explicit preference: OpenSSL 1.0.x: ALL OpenSSL 1.1.x: ALL:@SECLEVEL=0 In OpenSSL 1.1.0 I wanted to implement @AUTHLEVEL, to support @SECLEVEL=1 for ciphers, while allowing anon auth, but that did not make it into the code early enough: ssl/ssl_cert.c: /* * XXX: Separate @AUTHSECLEVEL and @TLSSECLEVEL would be useful at some * point, for now a single @SECLEVEL sets the same policy for TLS crypto * and PKI authentication. */ X509_VERIFY_PARAM_set_auth_level(param, SSL_get_security_level(s)); That is perhaps still technically possible for 1.1.0, but almost certainly too late, it is not a bug fix, and we're near the final release. I'd like to add that for the next release. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Diffie-Hellman Questions
On Tue, May 24, 2016 at 05:08:38PM +, Salz, Rich wrote: > > 2) Are the same encryption keys used every time with ADH? > > Yes. That's the other BIG reason :) You really want ephemeral, and > therefore ECDH NO, Rich is making a mistake, ADH is ephemeral of necessity, since without long-term keys in certificates it is impossible to use long-term keys whose disclosure might later compromise confidentiality. > > 3) Is it possible to use ephemeral DH without using certificates? I was not > > able to get that to work. > > Yes. This is "null" auth. Essentially: aNULL == (ADH || AECDH). -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Diffie-Hellman Questions
Yes! That was the problem. In order to use cipher "AECDH", SSL_CTX_set_ecdh_auto(ctx, 1) must be called first. Thanks Michael!! Norm On 5/24/16 15:52, Michael Wojcik wrote: From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Norm Green Sent: Tuesday, May 24, 2016 13:40 I've tried both: SSL_CTX_set_cipher_list("AECDH") and: SSL_CTX_set_cipher_list("AECDH-AES256-SHA") on both the client and server side, both of which result in the dreaded "no shared cipher" error: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher:s3_srvr.c:1417: You might run a wire trace to see what suites the client is actually advertising. And you are using TLS, right? For AECDH* (or any ECC suite), don't you have to tell OpenSSL what curve to use? I haven't implemented that bit myself in any applications, but my understanding is that with OpenSSL 1.0.2 you can just call SSL_CTX_set_ecdh_auto(ctx, 1). With 1.0.1 you have to specify a particular named curve with SSL_CTX_set_tmp_ecdh. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Diffie-Hellman Questions
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf > Of Norm Green > Sent: Tuesday, May 24, 2016 13:40 > > I've tried both: > > SSL_CTX_set_cipher_list("AECDH") > > and: > > SSL_CTX_set_cipher_list("AECDH-AES256-SHA") > > on both the client and server side, both of which result in the dreaded > "no shared cipher" error: > > error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared > cipher:s3_srvr.c:1417: You might run a wire trace to see what suites the client is actually advertising. And you are using TLS, right? For AECDH* (or any ECC suite), don't you have to tell OpenSSL what curve to use? I haven't implemented that bit myself in any applications, but my understanding is that with OpenSSL 1.0.2 you can just call SSL_CTX_set_ecdh_auto(ctx, 1). With 1.0.1 you have to specify a particular named curve with SSL_CTX_set_tmp_ecdh. -- Michael Wojcik Technology Specialist, Micro Focus -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Diffie-Hellman Questions
> Any suggestions on how to proceed? Sorry, no. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Diffie-Hellman Questions
I've tried both: SSL_CTX_set_cipher_list("AECDH") and: SSL_CTX_set_cipher_list("AECDH-AES256-SHA") on both the client and server side, both of which result in the dreaded "no shared cipher" error: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher:s3_srvr.c:1417: The following works but is not what I want: SSL_CTX_set_cipher_list("ADH") Any suggestions on how to proceed? Norm Green On 5/24/16 10:45, Salz, Rich wrote: >./openssl ciphers -v 'ALL:aNULL' |grep ECDH |grep "Au=None" AECDH-AES256-SHASSLv3 Kx=ECDH Au=None Enc=AES(256) Mac=SHA1 AECDH-AES128-SHASSLv3 Kx=ECDH Au=None Enc=AES(128) Mac=SHA1 AECDH-RC4-SHA SSLv3 Kx=ECDH Au=None Enc=RC4(128) Mac=SHA1 AECDH-DES-CBC3-SHA SSLv3 Kx=ECDH Au=None Enc=3DES(168) Mac=SHA1 AECDH-NULL-SHA SSLv3 Kx=ECDH Au=None Enc=None Mac=SHA1 1) What arg to SSL_CTX_set_cipher_list() to I need to use to get these? I previously tried "kEECDH:kEDH" and that didn't work. Use one of the names in the first column. 2) These ciphers all report as SSLv3. That is the protocol version where they were first defined. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Diffie-Hellman Questions
> >./openssl ciphers -v 'ALL:aNULL' |grep ECDH |grep "Au=None" > AECDH-AES256-SHASSLv3 Kx=ECDH Au=None Enc=AES(256) Mac=SHA1 > AECDH-AES128-SHASSLv3 Kx=ECDH Au=None Enc=AES(128) Mac=SHA1 > AECDH-RC4-SHA SSLv3 Kx=ECDH Au=None Enc=RC4(128) Mac=SHA1 > AECDH-DES-CBC3-SHA SSLv3 Kx=ECDH Au=None Enc=3DES(168) > Mac=SHA1 > AECDH-NULL-SHA SSLv3 Kx=ECDH Au=None Enc=None Mac=SHA1 > > 1) What arg to SSL_CTX_set_cipher_list() to I need to use to get these? > I previously tried "kEECDH:kEDH" and that didn't work. Use one of the names in the first column. > 2) These ciphers all report as SSLv3. That is the protocol version where they were first defined. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Diffie-Hellman Questions
Thanks Rich. More newbie questions. Looking at the available ciphers I see this: >./openssl ciphers -v 'ALL:aNULL' |grep ECDH |grep "Au=None" AECDH-AES256-SHASSLv3 Kx=ECDH Au=None Enc=AES(256) Mac=SHA1 AECDH-AES128-SHASSLv3 Kx=ECDH Au=None Enc=AES(128) Mac=SHA1 AECDH-RC4-SHA SSLv3 Kx=ECDH Au=None Enc=RC4(128) Mac=SHA1 AECDH-DES-CBC3-SHA SSLv3 Kx=ECDH Au=None Enc=3DES(168) Mac=SHA1 AECDH-NULL-SHA SSLv3 Kx=ECDH Au=None Enc=None Mac=SHA1 1) What arg to SSL_CTX_set_cipher_list() to I need to use to get these? I previously tried "kEECDH:kEDH" and that didn't work. 2) These ciphers all report as SSLv3. Do I have to use SSLv3 client/server methods to get access to these ciphers? I was using TLS 1.2 (TLSv1_2_server_method()) methods. Norm Green On 5/24/16 10:08, Salz, Rich wrote: 1) The wiki says don't use ADH, presumably because ADH provides encryption but not authentication and is exposed to man in the middle attacks. Is that the only reason? Use ECDH, it's less expensive computationally. 2) Are the same encryption keys used every time with ADH? Yes. That's the other BIG reason :) You really want ephemeral, and therefore ECDH 3) Is it possible to use ephemeral DH without using certificates? I was not able to get that to work. Yes. This is "null" auth. 4) What is the best practice for establishing an anonymous encrypted channel using OpenSSL? Postfix does this kind of thing, as does other SMTP software. Look around for 'opportunistic encryption' perhaps. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Diffie-Hellman Questions
> 1) The wiki says don't use ADH, presumably because ADH provides > encryption but not authentication and is exposed to man in the middle > attacks. Is that the only reason? Use ECDH, it's less expensive computationally. > 2) Are the same encryption keys used every time with ADH? Yes. That's the other BIG reason :) You really want ephemeral, and therefore ECDH > 3) Is it possible to use ephemeral DH without using certificates? I was not > able to get that to work. Yes. This is "null" auth. > 4) What is the best practice for establishing an anonymous encrypted > channel using OpenSSL? Postfix does this kind of thing, as does other SMTP software. Look around for 'opportunistic encryption' perhaps. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users