[openssl.org #3267] bug report - Possible to get "SRP-RSA-AES-256-CBC-SHA" as output from SSL_get_ciphers even once filtered using SSL_CTX_set_cipher_list

Matthew Bradbury via RT Fri, 21 Feb 2014 04:34:31 -0800

Hello,

I believe I have found a bug with restricting cipher suites using 
SSL_CTX_set_cipher_list. When I provide a large filter list I still get the 
cipher suite "SRP-RSA-AES-256-CBC-SHA" as output, even though it is specified 
to be removed. When I only disable "SRP-RSA-AES-256-CBC-SHA", it is correctly 
not listed. Removing only a few cipher suites from the large filter results in 
SRP-RSA-AES-256-CBC-SHA no longer being shown.



$ openssl ciphers 
'ALL:!aNULL:!eNULL:!ADH-DES-CBC-SHA:!ADH-RC4-MD5:!AECDH-RC4-SHA:!AES128-GCM-SHA256:!AES128-SHA:!AES128-SHA256:!AES256-GCM-SHA384:!AES256-SHA:!AES256-SHA256:!CAMELLIA128-SHA:!CAMELLIA256-SHA:!DES-CBC-MD5:!DES-CBC-SHA:!DES-CBC3-MD5:!DES-CBC3-SHA:!DHE-DSS-AES128-GCM-SHA256:!DHE-DSS-AES128-SHA:!DHE-DSS-AES128-SHA256:!DHE-DSS-AES256-GCM-SHA384:!DHE-DSS-AES256-SHA:!DHE-DSS-AES256-SHA256:!DHE-DSS-CAMELLIA128-SHA:!DHE-DSS-CAMELLIA256-SHA:!DHE-DSS-SEED-SHA:!DHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES128-SHA:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES256-GCM-SHA384:!DHE-RSA-AES256-SHA:!DHE-RSA-AES256-SHA256:!DHE-RSA-CAMELLIA128-SHA:!DHE-RSA-CAMELLIA256-SHA:!DHE-RSA-SEED-SHA:!ECDH-ECDSA-AES128-GCM-SHA256:!ECDH-ECDSA-AES128-SHA:!ECDH-ECDSA-AES128-SHA256:!ECDH-ECDSA-AES256-GCM-SHA384:!ECDH-ECDSA-AES256-SHA:!ECDH-ECDSA-AES256-SHA384:!ECDH-ECDSA-DES-CBC3-SHA:!ECDH-ECDSA-RC4-SHA:!ECDH-RSA-AES128-GCM-SHA256:!ECDH-RSA-AES128-SHA:!ECDH-RSA-AES128-SHA256:!ECDH-RSA-AES256-GCM-SHA384:!ECDH-RSA-AES256
 
-SHA:!ECDH-RSA-AES256-SHA384:!ECDH-RSA-DES-CBC3-SHA:!ECDH-RSA-RC4-SHA:!ECDHE-ECDSA-AES128-GCM-SHA256:!ECDHE-ECDSA-AES128-SHA:!ECDHE-ECDSA-AES128-SHA256:!ECDHE-ECDSA-AES256-GCM-SHA384:!ECDHE-ECDSA-AES256-SHA:!ECDHE-ECDSA-AES256-SHA384:!ECDHE-ECDSA-DES-CBC3-SHA:!ECDHE-ECDSA-RC4-SHA:!ECDHE-RSA-AES128-GCM-SHA256:!ECDHE-RSA-AES128-SHA:!ECDHE-RSA-AES128-SHA256:!ECDHE-RSA-AES256-GCM-SHA384:!ECDHE-RSA-AES256-SHA:!ECDHE-RSA-AES256-SHA384:!ECDHE-RSA-DES-CBC3-SHA:!ECDHE-RSA-RC4-SHA:!EDH-DSS-DES-CBC-SHA:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC-SHA:!EDH-RSA-DES-CBC3-SHA:!EXP-ADH-DES-CBC-SHA:!EXP-ADH-RC4-MD5:!EXP-DES-CBC-SHA:!EXP-EDH-DSS-DES-CBC-SHA:!EXP-EDH-RSA-DES-CBC-SHA:!EXP-RC2-CBC-MD5:!EXP-RC4-MD5:!IDEA-CBC-MD5:!IDEA-CBC-SHA:!NULL-MD5:!PSK-3DES-EDE-CBC-SHA:!PSK-AES128-CBC-SHA:!PSK-AES256-CBC-SHA:!PSK-RC4-SHA:!RC2-CBC-MD5:!RC4-MD5:!RC4-SHA:!SEED-SHA:!SRP-DSS-3DES-EDE-CBC-SHA:!SRP-DSS-AES-128-CBC-SHA:!SRP-DSS-AES-256-CBC-SHA:!SRP-RSA-3DES-EDE-CBC-SHA:!SRP-RSA-AES-128-CBC-SHA:!SRP-RSA-AES-256-CB
 C-SHA:@STRENGTH'

I get the output "SRP-RSA-AES-256-CBC-SHA" which is not expected. No error 
messages are printed


$ openssl ciphers 
'ALL:!aNULL:!eNULL:!AES128-SHA:!AES128-SHA256:!AES256-GCM-SHA384:!AES256-SHA:!AES256-SHA256:!CAMELLIA128-SHA:!CAMELLIA256-SHA:!DES-CBC-MD5:!DES-CBC-SHA:!DES-CBC3-MD5:!DES-CBC3-SHA:!DHE-DSS-AES128-GCM-SHA256:!DHE-DSS-AES128-SHA:!DHE-DSS-AES128-SHA256:!DHE-DSS-AES256-GCM-SHA384:!DHE-DSS-AES256-SHA:!DHE-DSS-AES256-SHA256:!DHE-DSS-CAMELLIA128-SHA:!DHE-DSS-CAMELLIA256-SHA:!DHE-DSS-SEED-SHA:!DHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES128-SHA:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES256-GCM-SHA384:!DHE-RSA-AES256-SHA:!DHE-RSA-AES256-SHA256:!DHE-RSA-CAMELLIA128-SHA:!DHE-RSA-CAMELLIA256-SHA:!DHE-RSA-SEED-SHA:!ECDH-ECDSA-AES128-GCM-SHA256:!ECDH-ECDSA-AES128-SHA:!ECDH-ECDSA-AES128-SHA256:!ECDH-ECDSA-AES256-GCM-SHA384:!ECDH-ECDSA-AES256-SHA:!ECDH-ECDSA-AES256-SHA384:!ECDH-ECDSA-DES-CBC3-SHA:!ECDH-ECDSA-RC4-SHA:!ECDH-RSA-AES128-GCM-SHA256:!ECDH-RSA-AES128-SHA:!ECDH-RSA-AES128-SHA256:!ECDH-RSA-AES256-GCM-SHA384:!ECDH-RSA-AES256-SHA:!ECDH-RSA-AES256-SHA384:!ECDH-RSA-DES-CBC3-SHA:!ECDH-RSA-RC
 
4-SHA:!ECDHE-ECDSA-AES128-GCM-SHA256:!ECDHE-ECDSA-AES128-SHA:!ECDHE-ECDSA-AES128-SHA256:!ECDHE-ECDSA-AES256-GCM-SHA384:!ECDHE-ECDSA-AES256-SHA:!ECDHE-ECDSA-AES256-SHA384:!ECDHE-ECDSA-DES-CBC3-SHA:!ECDHE-ECDSA-RC4-SHA:!ECDHE-RSA-AES128-GCM-SHA256:!ECDHE-RSA-AES128-SHA:!ECDHE-RSA-AES128-SHA256:!ECDHE-RSA-AES256-GCM-SHA384:!ECDHE-RSA-AES256-SHA:!ECDHE-RSA-AES256-SHA384:!ECDHE-RSA-DES-CBC3-SHA:!ECDHE-RSA-RC4-SHA:!EDH-DSS-DES-CBC-SHA:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC-SHA:!EDH-RSA-DES-CBC3-SHA:!EXP-ADH-DES-CBC-SHA:!EXP-ADH-RC4-MD5:!EXP-DES-CBC-SHA:!EXP-EDH-DSS-DES-CBC-SHA:!EXP-EDH-RSA-DES-CBC-SHA:!EXP-RC2-CBC-MD5:!EXP-RC4-MD5:!IDEA-CBC-MD5:!IDEA-CBC-SHA:!NULL-MD5:!PSK-3DES-EDE-CBC-SHA:!PSK-AES128-CBC-SHA:!PSK-AES256-CBC-SHA:!PSK-RC4-SHA:!RC2-CBC-MD5:!RC4-MD5:!RC4-SHA:!SEED-SHA:!SRP-DSS-3DES-EDE-CBC-SHA:!SRP-DSS-AES-128-CBC-SHA:!SRP-DSS-AES-256-CBC-SHA:!SRP-RSA-3DES-EDE-CBC-SHA:!SRP-RSA-AES-128-CBC-SHA:!SRP-RSA-AES-256-CBC-SHA:@STRENGTH'
 | tr ':' '\n' | grep SRP-RSA-AES-256-CBC-SHA

I get no output as expected.


$ openssl ciphers 'ALL:!aNULL:!eNULL:!SRP-RSA-AES-256-CBC-SHA' | tr ':' '\n' | 
grep SRP-RSA-AES-256-CBC-SHA

I get no output as expected.


$ openssl version
OpenSSL 1.0.1e 11 Feb 2013

$ uname -srvo
Linux 3.2.0-4-amd64 #1 SMP Debian 3.2.51-1 GNU/Linux

$ lsb_release -a
No LSB modules are available.
Distributor ID:   Debian
Description:       Debian GNU/Linux 7.3 (wheezy)
Release:              7.3
Codename:        wheezy

Many thanks,
Matthew Bradbury
Hitachi Data Systems

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majord...@openssl.org

[openssl.org #3267] bug report - Possible to get "SRP-RSA-AES-256-CBC-SHA" as output from SSL_get_ciphers even once filtered using SSL_CTX_set_cipher_list

Reply via email to