[openssl.org #2610] Bug(?): both the "!SSLv3" and the "!TLSv1" cipher strings seem to mutually delete the ciphersuites from the other set as well

Fri, 23 Sep 2011 02:07:03 -0700 

Hi!

Running both of the following commandlines results in the same error:

$ openssl ciphers -v 'ALL:!SSLv2:!TLSv1'
4564:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher 
match:ssl_lib.c:1222:

$ openssl ciphers -v 'ALL:!SSLv2:!SSLv3'
4564:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher 
match:ssl_lib.c:1222:

However if neither "!SSLv3" nor "!TLSv1" are specified, the command 
lists all available SSLv3 ciphersuites.

$ openssl ciphers -v 'ALL:!SSLv2'
ADH-AES256-SHA          SSLv3 Kx=DH       Au=None Enc=AES(256)  Mac=SHA1
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
ADH-AES128-SHA          SSLv3 Kx=DH       Au=None Enc=AES(128)  Mac=SHA1
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
(...)

The documentation of the "ciphers" OpenSSL command describes SSL v3.0 
and TLS v1.0 ciphersuites as distinct/separate concepts. Or at least I 
understood it that way.
http://www.openssl.org/docs/apps/ciphers.html

SSL v3.0 cipher suite names start with "SSL_", TLS v1.0 cipher suite 
names start with "TLS_".
If that is true, then it does not seem to be proper operation to remove 
both SSLv3 and TLSv1 cipher suites from the cipher suite list if only 
one of the cipher strings ("!SSLv3" xor "!TLSv1") is specified in the 
cipherlist parameter of the "ciphers" command.

If the cipher suites of SSLv3 and TLSv1 are not handled separately (as 
it seems to be), then the documentation should reflect this.


Best regards,
Zsolt

P.S.: the described symptoms were reproduced in a number of different 
systems. I guess the above described behaviour has been that way for ages.

Debian Lenny (5.0.8) + OpenSSL 0.9.8g (19 Oct 2007)
Debian Squeeze (6.0.2) + OpenSSL 0.9.8o (01 Jun 2010)
Ubuntu Maverick (10.10) + OpenSSL 0.9.8o (01 Jun 2010)

-- 
                                  Müller Zsolt
                   email: [email protected] | www: http://muzso.hu/

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [email protected]
Automated List Manager                           [email protected]

Reply via email to