Re: [openssl-users] enable TLS_RSA_WITH_RC4_128_MD5 in openssl 1.1.0e?

2017-06-05 Thread Siyuan Xiang 
Yes, you are right. openssl binary is linking to a wrong shared library.

The code is fine, it's linking to the static library.

thanks.

Regards,
Siyuan
---

On Mon, Jun 5, 2017 at 3:40 PM, Viktor Dukhovni 
wrote:

> On Thu, Jun 01, 2017 at 10:16:01AM -0700, Siyuan Xiang wrote:
>
> >
> > ./config enable-weak-ssl-ciphers --prefix=/opt
>
> Does this set a suitable RPATH?
>
> > make
> > make DESTDIR=/path/to/dir INSTALL
>
> And now install in yet another place?
>
> > $ ./openssl version
> > OpenSSL 1.1.0e  16 Feb 2017
>
> The resulting code is likelky using the wrong shared libraries.
>
> --
> Viktor.
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] enable TLS_RSA_WITH_RC4_128_MD5 in openssl 1.1.0e?

2017-06-05 Thread Viktor Dukhovni 
On Thu, Jun 01, 2017 at 10:16:01AM -0700, Siyuan Xiang wrote:

> 
> ./config enable-weak-ssl-ciphers --prefix=/opt

Does this set a suitable RPATH?

> make
> make DESTDIR=/path/to/dir INSTALL

And now install in yet another place?

> $ ./openssl version
> OpenSSL 1.1.0e  16 Feb 2017

The resulting code is likelky using the wrong shared libraries.

-- 
Viktor.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] enable TLS_RSA_WITH_RC4_128_MD5 in openssl 1.1.0e?

2017-06-05 Thread Siyuan Xiang 
On Fri, Jun 2, 2017 at 1:29 AM, Matt Caswell  wrote:

> That's very strange. Those exact same commands work fine for me. Are you
> sure you are picking up the version of 1.1.0e compiled with
> enable-weak-ssl-ciphers and not some other previous compilation of 1.1.0e?
>

Yes I am sure that it's compiled with enable-weak-ssl-ciphers

Regards,
Siyuan
---
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] enable TLS_RSA_WITH_RC4_128_MD5 in openssl 1.1.0e?

2017-06-02 Thread Matt Caswell 


On 01/06/17 18:16, Siyuan Xiang wrote:
> Hi Matt,
> 
> I tried the following command, it failed.  following is my command. 
> 
> ./config enable-weak-ssl-ciphers --prefix=/opt
> make
> make DESTDIR=/path/to/dir INSTALL
> 
> $ ./openssl version
> OpenSSL 1.1.0e  16 Feb 2017
> 
> ./openssl s_client -cipher "RC4-MD5:@SECLEVEL=0"
> 
> error setting cipher list
> 140369010624144:error:140E6118:SSL
> routines:SSL_CIPHER_PROCESS_RULESTR:invalid command:ssl_ciph.c:1337:
> 
> 
> ./openssl ciphers "RC4-MD5:@SECLEVEL=0"
> Error in cipher list
> 140458428679936:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no
> cipher match:ssl/ssl_lib.c:2018:

That's very strange. Those exact same commands work fine for me. Are you
sure you are picking up the version of 1.1.0e compiled with
enable-weak-ssl-ciphers and not some other previous compilation of 1.1.0e?

Matt


> 
> However, after I change  SSL_CTX_set_XXX function
> orders, TLS_RSA_WITH_RC4_128_MD5 do appear in client hello cipher list.
> 
> SSL_CTX_set_security_level(ctx, 0);
> SSL_CTX_set_cipher_list(ctx, "ALL:RC4-MD5");
> 
> Regards,
> Siyuan
> ---
> 
> On Thu, Jun 1, 2017 at 2:41 AM, Matt Caswell  > wrote:
> 
> 
> 
> On 31/05/17 21:22, Siyuan Xiang wrote:
> > Hi all,
> >
> > I have a legacy server only accept TLS_RSA_WITH_RC4_128_MD5 cipher.
> >
> > I have a client using openssl 1.1.0e. It doesn't include
> > TLS_RSA_WITH_RC4_128_MD5.
> > I have recompiled the openssl using  enable-weak-ssl-ciphers, but it
> > doesn't work
> > but  TLS_RSA_WITH_RC4_128_SHA  is in client hello message.
> >
> > It looks like all MD5 related ciphers are removed.  I tried to
> > use SSL_CTX_set_security_level to
> > set level to 0. but it doesn't work.
> >
> > Do you have any idea how to enable TLS_RSA_WITH_RC4_128_MD5?
> 
> How have you configured your ciphersuite list? I can get this to work in
> 1.1.0 using s_server and s_client.
> 
> Having built with "enable-weak-ssl-ciphers" I start up s_server like
> this:
> 
> $ openssl s_server -cipher "RC4-MD5:@SECLEVEL=0"
> 
> And then run s_client like this:
> 
> $ openssl s_client -cipher "RC4-MD5:@SECLEVEL=0"
> 
> The connection is successful and uses the RC4-MD5 ciphersuite (aka
> TLS_RSA_WITH_RC4_128_MD5).
> 
> Matt
> --
> openssl-users mailing list
> To unsubscribe:
> https://mta.openssl.org/mailman/listinfo/openssl-users
> 
> 
> 
> 
> 
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] enable TLS_RSA_WITH_RC4_128_MD5 in openssl 1.1.0e?

2017-06-01 Thread Siyuan Xiang 
Hi Matt,

I tried the following command, it failed.  following is my command.

./config enable-weak-ssl-ciphers --prefix=/opt
make
make DESTDIR=/path/to/dir INSTALL

$ ./openssl version
OpenSSL 1.1.0e  16 Feb 2017

./openssl s_client -cipher "RC4-MD5:@SECLEVEL=0"

error setting cipher list
140369010624144:error:140E6118:SSL
routines:SSL_CIPHER_PROCESS_RULESTR:invalid command:ssl_ciph.c:1337:


./openssl ciphers "RC4-MD5:@SECLEVEL=0"
Error in cipher list
140458428679936:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no
cipher match:ssl/ssl_lib.c:2018:

However, after I change  SSL_CTX_set_XXX function orders,
TLS_RSA_WITH_RC4_128_MD5
do appear in client hello cipher list.

SSL_CTX_set_security_level(ctx, 0);
SSL_CTX_set_cipher_list(ctx, "ALL:RC4-MD5");

Regards,
Siyuan
---

On Thu, Jun 1, 2017 at 2:41 AM, Matt Caswell  wrote:

>
>
> On 31/05/17 21:22, Siyuan Xiang wrote:
> > Hi all,
> >
> > I have a legacy server only accept TLS_RSA_WITH_RC4_128_MD5 cipher.
> >
> > I have a client using openssl 1.1.0e. It doesn't include
> > TLS_RSA_WITH_RC4_128_MD5.
> > I have recompiled the openssl using  enable-weak-ssl-ciphers, but it
> > doesn't work
> > but  TLS_RSA_WITH_RC4_128_SHA  is in client hello message.
> >
> > It looks like all MD5 related ciphers are removed.  I tried to
> > use SSL_CTX_set_security_level to
> > set level to 0. but it doesn't work.
> >
> > Do you have any idea how to enable TLS_RSA_WITH_RC4_128_MD5?
>
> How have you configured your ciphersuite list? I can get this to work in
> 1.1.0 using s_server and s_client.
>
> Having built with "enable-weak-ssl-ciphers" I start up s_server like this:
>
> $ openssl s_server -cipher "RC4-MD5:@SECLEVEL=0"
>
> And then run s_client like this:
>
> $ openssl s_client -cipher "RC4-MD5:@SECLEVEL=0"
>
> The connection is successful and uses the RC4-MD5 ciphersuite (aka
> TLS_RSA_WITH_RC4_128_MD5).
>
> Matt
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] enable TLS_RSA_WITH_RC4_128_MD5 in openssl 1.1.0e?

2017-06-01 Thread Matt Caswell 


On 31/05/17 21:22, Siyuan Xiang wrote:
> Hi all, 
> 
> I have a legacy server only accept TLS_RSA_WITH_RC4_128_MD5 cipher. 
> 
> I have a client using openssl 1.1.0e. It doesn't include
> TLS_RSA_WITH_RC4_128_MD5. 
> I have recompiled the openssl using  enable-weak-ssl-ciphers, but it
> doesn't work
> but  TLS_RSA_WITH_RC4_128_SHA  is in client hello message. 
> 
> It looks like all MD5 related ciphers are removed.  I tried to
> use SSL_CTX_set_security_level to 
> set level to 0. but it doesn't work. 
> 
> Do you have any idea how to enable TLS_RSA_WITH_RC4_128_MD5? 

How have you configured your ciphersuite list? I can get this to work in
1.1.0 using s_server and s_client.

Having built with "enable-weak-ssl-ciphers" I start up s_server like this:

$ openssl s_server -cipher "RC4-MD5:@SECLEVEL=0"

And then run s_client like this:

$ openssl s_client -cipher "RC4-MD5:@SECLEVEL=0"

The connection is successful and uses the RC4-MD5 ciphersuite (aka
TLS_RSA_WITH_RC4_128_MD5).

Matt
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users