Re: [openssl-users] Integrating New Cipher Suite
Not sure if I'm late to the party on this one but check out this link: https://wiki.openssl.org/index.php/How_to_Integrate_a_Symmetric_Cipher I wrote this up a few months back so let me know if you have any questions. Rob From: openssl-users-requ...@openssl.org Sent: Wednesday, October 4, 4:29 AM Subject: openssl-users Digest, Vol 35, Issue 2 To: openssl-users@openssl.org Send openssl-users mailing list submissions to openssl-users@openssl.org To subscribe or unsubscribe via the World Wide Web, visit https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmta.openssl.org%2Fmailman%2Flistinfo%2Fopenssl-users=02%7C01%7Crschm2%40unh.newhaven.edu%7C50cde6976b254f2c412e08d50b021142%7C3c71cbabb5ed4f3bac0d95509d6c0e93%7C0%7C0%7C636427025869613510=nwv%2FYJCbDn6efXDt5aLvRnrx0yZNb6CO96bSR7i7KpE%3D=0 or, via email, send a message with subject or body 'help' to openssl-users-requ...@openssl.org You can reach the person managing the list at openssl-users-ow...@openssl.org When replying, please edit your Subject line so it is more specific than "Re: Contents of openssl-users digest..." Today's Topics: 1. Re: Integrating New Cipher Suite (Jakob Bohm) 2. Re: FIPS Object Module 2.0, fipsalgtest.pl fails (Diaz de Grenu, Jose) 3. Re: FIPS Object Module 2.0, fipsalgtest.pl fails (Steve Marquess) 4. Engine configuration (Dmitry Belyavsky) 5. Re: Engine configuration (Dr. Stephen Henson) 6. AES CMAC with given iv (Stefan Gr?nwald) 7. Re: FIPS Object Module 2.0, fipsalgtest.pl fails (Diaz de Grenu, Jose) 8. Re: Storing private key on tokens (lists) -- Message: 1 Date: Mon, 2 Oct 2017 13:52:18 +0200 From: Jakob Bohm To: openssl-users@openssl.org Subject: Re: [openssl-users] Integrating New Cipher Suite Message-ID: Content-Type: text/plain; charset=utf-8; format=flowed On 02/10/2017 00:47, Dr. Stephen Henson wrote: > On Sun, Oct 01, 2017, Wallboy wrote: > >> Hi, >> >> ... >> Bonus Question: Is it possible to remove the SCSV cipher in the ClientHello? >> > You can't remove it without making source changes. Again it's in the > ssl_cipher_list_to_bytes() function. > Have you tried clearing SSL_MODE_SEND_FALLBACK_SCSV (in a program), or (not) using the -fallback_scsv option to s_client? Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.wisemo.com=02%7C01%7Crschm2%40unh.newhaven.edu%7C50cde6976b254f2c412e08d50b021142%7C3c71cbabb5ed4f3bac0d95509d6c0e93%7C0%7C0%7C636427025869613510=LVMC1kSp3iqPTwUPFYLAfNrPzByVOBFdcH3qMS3P5TY%3D=0 Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -- Message: 2 Date: Mon, 2 Oct 2017 14:29:06 + From: "Diaz de Grenu, Jose" To: "openssl-users@openssl.org" Subject: Re: [openssl-users] FIPS Object Module 2.0, fipsalgtest.pl fails Message-ID: Content-Type: text/plain; charset="us-ascii" > The FIPS module and test suite software (fipsalgtest.pl) are designed to work with exactly those algorithm tests relevant to the associated validations > (#1747/2398/2473). The test labs generate a unique set of test vectors for each platform validation; those test vectors must be of the expected format to > be successfully processed. Often they are not, either because they we incorrectly specified or due to errors. Figuring out such discrepancies can be lots of > fun (not!). > You will want to compare your test vectors with a known good set from https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fopenssl.com%2Ftesting%2Fvalidation-2.0%2Ftestvectors%2F=02%7C01%7Crschm2%40unh.newhaven.edu%7C50cde6976b254f2c412e08d50b021142%7C3c71cbabb5ed4f3bac0d95509d6c0e93%7C0%7C0%7C636427025869613510=9Eh2AW%2FpJaCMJba4mKGOFEB%2F0VORUG8aocNuMZQnWQw%3D=0. Pick a recent set, as the format of the test vectors changes over time. Note that as > a result frequent adjustment of fipsalgtest.pl is often necessary. I have tried with all the tarballs but I am not able to find one which works without errors. Is there any way to check which test vector were used for FIPS Object Module 2.0.16? -- Message: 3 Date: Mon, 2 Oct 2017 11:39:11 -0400 From: Steve Marquess To: openssl-users@openssl.org Subject: Re: [openssl-users] FIPS Object Module 2.0, fipsalgtest.pl fails Message-ID: Content-Type: text/plain; charset=utf-8 On 10/02/2017 10:29 AM, Diaz de Grenu, Jose wrote: > >> The FIPS module and test suite software (fipsalgtest.pl) are designed to work with exactly those algorithm tests relevant to the associated validations >> (#1747/2398/2473). The test labs generate a unique set of test vectors for each platform valid
Re: [openssl-users] Integrating New Cipher Suite
On 02/10/2017 00:47, Dr. Stephen Henson wrote: On Sun, Oct 01, 2017, Wallboy wrote: Hi, ... Bonus Question: Is it possible to remove the SCSV cipher in the ClientHello? You can't remove it without making source changes. Again it's in the ssl_cipher_list_to_bytes() function. Have you tried clearing SSL_MODE_SEND_FALLBACK_SCSV (in a program), or (not) using the -fallback_scsv option to s_client? Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Integrating New Cipher Suite
On Sun, Oct 01, 2017, Wallboy wrote:
> Hi,
>
> I'm also interested in adding a few "pseudo" ciphersuites to OpenSSL.
> Notably the 16 GREASE ones Chrome currently uses (0x0A0A, 0x1A1A...0xFAFA).
>
> I made similar changes to the files listed in this thread and compiled
> successfully (based on 1.1.0f). I see the new cipher when doing "openssl
> ciphers ALL:eNULL".
>
> However I had the same issue that when trying to include it using s_client,
> the ClientHello message did not actually send it:
>
> openssl s_client -cipher "ECDHE-RSA-AES256-SHA:GREASE-0A0A" -connect
> www.google.com:443 -servername www.google.com
>
> ClientHello contained two ciphersuites. The first one listed and also the
> SCSV cipher
>
> I then tried this:
>
> openssl s_client -cipher "ECDHE-RSA-AES256-SHA:GREASE-0A0A:@SECLEVEL=0"
> -connect www.google.com:443 -servername www.google.com
>
> Bingo! But the ClientHello now sends 4 Ciphersuites. The first one listed,
> followed by my GREASE pseudo cipher, then TLS_RSA_WITH_RC4_128_MD5, then the
> SCSV cipher.
>
> I'm not sure why that RC4 cipher is sent. Although it probably has to do
> with the fact I structured that GREASE cipher after it:
>
> {
> 1,
> SSL3_TXT_GREASE1,
> SSL3_CK_GREASE1,
> SSL_kRSA,
> SSL_aRSA,
> SSL_RC4,
> SSL_MD5,
> SSL3_VERSION, TLS1_2_VERSION,
> 0, 0,
> SSL_NOT_DEFAULT | SSL_MEDIUM,
> SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
> 128,
> 128,
> },
>
> If I'm just trying to use it as a pseudo cipher for ClientHello messages,
> how should it look in the above struct? And how can I get it to send without
> specifying SECLEVEL=0?
>
If you want to specify the ciphersuites in the cipher string then they need to
be part of the list of ciphers. However these wouldn't be normal ciphersuites:
they'd never be selected by a server for example. Giving them separate
definitions and handling does go against the requirements of GREASE draft
though.
Your problems are because you copied the definitions for that RC4 ciphersuite.
The fact it uses MD5 means it gets rules out at anything other than security
level 0.
If you just want to include them in a client hello you can do something
similar to the scsv code which adds its own pseudo-ciphersuite. In particular
the code in ssl_cipher_list_to_bytes().
> Bonus Question: Is it possible to remove the SCSV cipher in the ClientHello?
>
You can't remove it without making source changes. Again it's in the
ssl_cipher_list_to_bytes() function.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Integrating New Cipher Suite
Hi,
I'm also interested in adding a few "pseudo" ciphersuites to OpenSSL.
Notably the 16 GREASE ones Chrome currently uses (0x0A0A, 0x1A1A...0xFAFA).
I made similar changes to the files listed in this thread and compiled
successfully (based on 1.1.0f). I see the new cipher when doing "openssl
ciphers ALL:eNULL".
However I had the same issue that when trying to include it using s_client,
the ClientHello message did not actually send it:
openssl s_client -cipher "ECDHE-RSA-AES256-SHA:GREASE-0A0A" -connect
www.google.com:443 -servername www.google.com
ClientHello contained two ciphersuites. The first one listed and also the
SCSV cipher
I then tried this:
openssl s_client -cipher "ECDHE-RSA-AES256-SHA:GREASE-0A0A:@SECLEVEL=0"
-connect www.google.com:443 -servername www.google.com
Bingo! But the ClientHello now sends 4 Ciphersuites. The first one listed,
followed by my GREASE pseudo cipher, then TLS_RSA_WITH_RC4_128_MD5, then the
SCSV cipher.
I'm not sure why that RC4 cipher is sent. Although it probably has to do
with the fact I structured that GREASE cipher after it:
{
1,
SSL3_TXT_GREASE1,
SSL3_CK_GREASE1,
SSL_kRSA,
SSL_aRSA,
SSL_RC4,
SSL_MD5,
SSL3_VERSION, TLS1_2_VERSION,
0, 0,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
If I'm just trying to use it as a pseudo cipher for ClientHello messages,
how should it look in the above struct? And how can I get it to send without
specifying SECLEVEL=0?
Bonus Question: Is it possible to remove the SCSV cipher in the ClientHello?
Thanks for any help
--
Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Integrating New Cipher Suite
On Fri, Apr 14, 2017, Schmicker, Robert wrote: > > > After some debugging (exactly as mentioned above) it appears that the cipher > suite does not show up in the ClientHello using the s_client/s_server. I > modified the cipher for testing to use 512 bits instead of 64 so that it is > ranked highest. > > Error server side: > SSL routines:tls_post_process_client_hello:no shared > cipher:ssl/statem/statem_srvr.c:1979 > > Error Client side: > SSL routines:ssl3_read_bytes:tlsv1 alert internal > error:ssl/record/rec_layer_s3.c:1469:SSL alert number 80 > > Any idea why the cipher would appear under the list of supported tls1.2 > ciphers, yet it does not appear under the ClientHello even if specified with > the -cipher option? > Hmm... it's not clear why the cipher isn't being sent in client hello. What output do you get with -security_debug_verbose option? Also try including @SECLEVEL=0 in the cipher string. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Integrating New Cipher Suite
Added a define in include/openssl/ssl.h:
# define SSL_TXT_MYCIPHER "MYCIPHER"
Integrated into ssl/s3_lib.c:
static SSL_CIPHER ssl3_ciphers[] = {
{
1,
TLS1_TXT_ECDHE_ECDSA_WITH_MYCIPHER_SHA384,
TLS1_CK_ECDHE_ECDSA_WITH_MYCIPHER_SHA384,
SSL_kECDHE,
SSL_aECDSA,
SSL_MYCIPHER,
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
64,
64,
},
>That's a pretty small number of bits. Do you really mean it to be only 64?
>
>Does you ciphersuite show up with cipher -s?
>
>It's possible it is being rejected because it has insufficient security. If
>the number of bits is really 64 you could try droppping the security level to
>0 to allow it.
>
>If that doesn't help enable trace support with enable-ssl-trace and then try
>the -trace command ot s_client/s_server and see if the new ciphersuites is
>sent in ClientHello
>
>Steve.
>--
>Dr Stephen N. Henson. OpenSSL project core developer.
>Commercial tech support now available see: http://www.openssl.org
After some debugging (exactly as mentioned above) it appears that the cipher
suite does not show up in the ClientHello using the s_client/s_server. I
modified the cipher for testing to use 512 bits instead of 64 so that it is
ranked highest.
Error server side:
SSL routines:tls_post_process_client_hello:no shared
cipher:ssl/statem/statem_srvr.c:1979
Error Client side:
SSL routines:ssl3_read_bytes:tlsv1 alert internal
error:ssl/record/rec_layer_s3.c:1469:SSL alert number 80
Any idea why the cipher would appear under the list of supported tls1.2
ciphers, yet it does not appear under the ClientHello even if specified with
the -cipher option?
Thank you for any leads!
Rob
On 4/12/17 8:06 AM,
openssl-users-requ...@openssl.org<mailto:openssl-users-requ...@openssl.org>
wrote:
Send openssl-users mailing list submissions to
openssl-users@openssl.org<mailto:openssl-users@openssl.org>
To subscribe or unsubscribe via the World Wide Web, visit
https://mta.openssl.org/mailman/listinfo/openssl-users
or, via email, send a message with subject or body 'help' to
openssl-users-requ...@openssl.org<mailto:openssl-users-requ...@openssl.org>
You can reach the person managing the list at
openssl-users-ow...@openssl.org<mailto:openssl-users-ow...@openssl.org>
When replying, please edit your Subject line so it is more specific
than "Re: Contents of openssl-users digest..."
Today's Topics:
1. Re: Integrating New Cipher Suite (Dr. Stephen Henson)
2. Re: RSA PKCS1 v2.1 - Multi-primes and RSASSA-PSS (Davy Souza)
3. Escaped Issuer/Subject (c.hol...@ades.at<mailto:c.hol...@ades.at>)
4. Multithreading: Global locks causing bottleneck in parallel
SSL_write calls (dipakgaigole)
--
Message: 1
Date: Tue, 11 Apr 2017 18:54:09 +
From: "Dr. Stephen Henson" <st...@openssl.org><mailto:st...@openssl.org>
To: openssl-users@openssl.org<mailto:openssl-users@openssl.org>
Subject: Re: [openssl-users] Integrating New Cipher Suite
Message-ID:
<20170411185409.ga23...@openssl.org><mailto:20170411185409.ga23...@openssl.org>
Content-Type: text/plain; charset=us-ascii
On Tue, Apr 11, 2017, Schmicker, Robert wrote:
Added a define in include/openssl/ssl.h:
# define SSL_TXT_MYCIPHER "MYCIPHER"
Integrated into ssl/s3_lib.c:
static SSL_CIPHER ssl3_ciphers[] = {
{
1,
TLS1_TXT_ECDHE_ECDSA_WITH_MYCIPHER_SHA384,
TLS1_CK_ECDHE_ECDSA_WITH_MYCIPHER_SHA384,
SSL_kECDHE,
SSL_aECDSA,
SSL_MYCIPHER,
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
64,
64,
},
That's a pretty small number of bits. Do you really mean it to be only 64?
Does you ciphersuite show up with cipher -s?
It's possible it is being rejected because it has insufficient security. If
the number of bits is really 64 you could try droppping the security level to
0 to allow it.
If that doesn't help enable trace support with enable-ssl-trace and then try
the -trace command ot s_client/s_server and see if the new ciphersuites is
sent in ClientHello
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
--
Message: 2
Date: Tue, 11 Apr 2017 12:50:29 +
From: Davy Souza <davy.so...@outlook.com><mailto:davy.so...@outlook.com>
To: "openssl-users@openssl.org"<mailto:openssl-users@openssl.org>
<openssl-users@openssl.org><mailto:openssl-users@openssl.org>
Subject: Re: [openssl-users] RSA PKCS1 v2.1 - Multi-primes and
Re: [openssl-users] Integrating New Cipher Suite
0);
>}
>
>
>if ( ctx == NULL )
>{
>ERR_print_errors_fp(stderr);
>abort();
>}
>return ctx;
> }
>
> server:
>
> SSL_CTX* InitServerCTX(void)
> { const SSL_METHOD *method;
>SSL_CTX *ctx;
>
>OpenSSL_add_all_algorithms(); /* load & register all cryptos, etc. */
>SSL_load_error_strings(); /* load all error messages */
>method = SSLv23_server_method(); /* create new server-method
> instance */
>ctx = SSL_CTX_new(method); /* create new context from method */
>
>/* Set cipher to use */
>if (SSL_CTX_set_cipher_list(ctx, "ECDHE-RSA-MYCIPHER-SHA256") <= 0) {
> printf("Error setting the cipher list.\n");
>exit(0);
>}
>
>if ( ctx == NULL )
>{
>ERR_print_errors_fp(stderr);
>abort();
>}
>return ctx;
> }
>
> Thank you,
> Rob
>
>
>
> --
>
> Message: 2
> Date: Mon, 10 Apr 2017 11:03:05 +0100
> From: Matt Caswell <m...@openssl.org>
> To: openssl-users@openssl.org
> Subject: Re: [openssl-users] Integrating New Cipher Suite
> Message-ID: <ea1e67d0-582c-6b2a-d147-696d03a7d...@openssl.org>
> Content-Type: text/plain; charset=windows-1252
>
>
>
> On 08/04/17 18:56, Schmicker, Robert wrote:
>> Hello,
>>
>> I'm attempting to integrate a customized cipher suite for TLS 1.2,
>> however no matter what I try I always seem to end up with this error
>> (client side):
>>
>> SSL routines:ssl_cipher_list_to_bytes:no ciphers
>> available:ssl/statem/statem_clnt.c:3567
>>
>> Can anyone give some further explanation on this?
>
> There is no way of dynamically adding new TLS1.2 ciphersuites into
> OpenSSL. The only way to do this is to modify the source code. If that's
> what you've done then you're going to need to provide a lot more
> information about the changes you have made before anyone can help!
>
> Matt
>
>
>>
>> Here's some snippets from the client and server setup.
>>
>> client:
>>
>> SSL_CTX* InitCTX(void)
>> { const SSL_METHOD *method;
>>SSL_CTX *ctx;
>>
>>OpenSSL_add_all_algorithms(); /* Load cryptos, et.al. */
>>SSL_load_error_strings(); /* Bring in and register error messages */
>>method = SSLv23_client_method(); /* Create new client-method
>> instance */
>>ctx = SSL_CTX_new(method); /* Create new context */
>>
>>/* Set cipher to use */
>>if (SSL_CTX_set_cipher_list(ctx, "ECDHE-RSA-MYCIPHER-SHA256") <= 0) {
>>printf("Error setting the cipher list.\n");
>>exit(0);
>>}
>>
>>
>>if ( ctx == NULL )
>>{
>>ERR_print_errors_fp(stderr);
>>abort();
>>}
>>return ctx;
>> }
>>
>> server:
>>
>> SSL_CTX* InitServerCTX(void)
>> { const SSL_METHOD *method;
>>SSL_CTX *ctx;
>>
>>OpenSSL_add_all_algorithms(); /* load & register all cryptos, etc. */
>>SSL_load_error_strings(); /* load all error messages */
>>method = SSLv23_server_method(); /* create new server-method
>> instance */
>>ctx = SSL_CTX_new(method); /* create new context from method */
>>
>>/* Set cipher to use */
>>if (SSL_CTX_set_cipher_list(ctx, "ECDHE-RSA-MYCIPHER-SHA256") <= 0) {
>>printf("Error setting the cipher list.\n");
>>exit(0);
>>}
>>
>>if ( ctx == NULL )
>>{
>>ERR_print_errors_fp(stderr);
>>abort();
>>}
>>return ctx;
>> }
>>
>> Thank you,
>> Rob
>>
>
>
> --
>
> Message: 3
> Date: Mon, 10 Apr 2017 13:46:26 +
> From: "Dr. Stephen Henson" <st...@openssl.org>
> To: openssl-users@openssl.org
> Subject: Re: [openssl-users] RSA PKCS1 v2.1 - Multi-primes and
> RSASSA-PSS
> Message-ID: <20170410134626.ga28...@openssl.org>
> Content-Type: text/plain; charset=us-ascii
>
> On Wed, Apr 05, 2017, Davy Souza wrote:
>
>> Hi,
>>
>>
>> I'm using RSA, but I need to know if OpenSSL RSA implements PKCS#1 v2.1. I
>> have the following questions:
>>
>> 1) Does OpenSSL support multi-prime?
>>
>
> No.
>
>> 2) Does OpenSSL support RSASSA-PSS?
>>
>
> Yes.
>
>> 3) If so, how can I use it?
>>
>
> In what context do you want to use it? For example CMS, ce
Re: [openssl-users] Integrating New Cipher Suite
On Sat, Apr 08, 2017, Schmicker, Robert wrote: > Hello, > > I'm attempting to integrate a customized cipher suite for TLS 1.2, > however no matter what I try I always seem to end up with this error > (client side): > > SSL routines:ssl_cipher_list_to_bytes:no ciphers > available:ssl/statem/statem_clnt.c:3567 > > Can anyone give some further explanation on this? > > Here's some snippets from the client and server setup. > > client: > That sounds like the cipher isn't visible. I'd suggest trying s_client/s_server first. Which version of OpenSSL are you using? Does your new cipher appear in "openssl ciphers"? If so does the output look sensible? Does it appear with the -s option too? Is the cipher visible using "openssl list -cipher-algorithms" (OpenSSL 1.1.0) or "openssl list-cipher-algorithms" (OpenSSL 1.0.2). Is your new cipher usable via the command line utilities like "enc"? Does it seems to be behaving as expected? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Integrating New Cipher Suite
On 08/04/17 18:56, Schmicker, Robert wrote:
> Hello,
>
> I'm attempting to integrate a customized cipher suite for TLS 1.2,
> however no matter what I try I always seem to end up with this error
> (client side):
>
> SSL routines:ssl_cipher_list_to_bytes:no ciphers
> available:ssl/statem/statem_clnt.c:3567
>
> Can anyone give some further explanation on this?
There is no way of dynamically adding new TLS1.2 ciphersuites into
OpenSSL. The only way to do this is to modify the source code. If that's
what you've done then you're going to need to provide a lot more
information about the changes you have made before anyone can help!
Matt
>
> Here's some snippets from the client and server setup.
>
> client:
>
> SSL_CTX* InitCTX(void)
> { const SSL_METHOD *method;
> SSL_CTX *ctx;
>
> OpenSSL_add_all_algorithms(); /* Load cryptos, et.al. */
> SSL_load_error_strings(); /* Bring in and register error messages */
> method = SSLv23_client_method(); /* Create new client-method
> instance */
> ctx = SSL_CTX_new(method); /* Create new context */
>
> /* Set cipher to use */
> if (SSL_CTX_set_cipher_list(ctx, "ECDHE-RSA-MYCIPHER-SHA256") <= 0) {
> printf("Error setting the cipher list.\n");
> exit(0);
> }
>
>
> if ( ctx == NULL )
> {
> ERR_print_errors_fp(stderr);
> abort();
> }
> return ctx;
> }
>
> server:
>
> SSL_CTX* InitServerCTX(void)
> { const SSL_METHOD *method;
> SSL_CTX *ctx;
>
> OpenSSL_add_all_algorithms(); /* load & register all cryptos, etc. */
> SSL_load_error_strings(); /* load all error messages */
> method = SSLv23_server_method(); /* create new server-method
> instance */
> ctx = SSL_CTX_new(method); /* create new context from method */
>
> /* Set cipher to use */
> if (SSL_CTX_set_cipher_list(ctx, "ECDHE-RSA-MYCIPHER-SHA256") <= 0) {
> printf("Error setting the cipher list.\n");
> exit(0);
> }
>
> if ( ctx == NULL )
> {
> ERR_print_errors_fp(stderr);
> abort();
> }
> return ctx;
> }
>
> Thank you,
> Rob
>
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
