On 08/29/2014 08:16 AM, Tomas Mraz wrote: > On Pá, 2014-08-29 at 16:19 +0200, Frank Meier wrote: >> While testing different ciphersuites I found a quite drastic change in >> the behavior between openssl version 1.0.1h to 1.0.1i. While using a >> cipherlist like "ECDHE-RSA-AES128-SHA256:RC4" with 1.0.1h the >> "ECDHE-RSA-AES128-SHA256" cipher is used. With 1.0.1i uses "RC4-SHA".
> This happens because you use specification of cipherlist that does not > make sense - that is with the RC4 you add also SSLv2 ciphers to the > cipher list and simultaneously you add only EC based cipher in addition. > With SSLv2 client hello the supported curves extension cannot be sent > and thus the EC based ciphers must not be sent as well. If there was for > example DHE-RSA-AES128-GCM-SHA256 in the cipher list, it would be > correctly sent in the hello and chosen for the connection. I can't see > anyone using such specification in real world. > > Basically what you specify is what you get. the CipherSuite list that Frank posted clearly indicated his preference for ECDHE-RSA-AES128-SHA256 ahead of RC4. By "respecting" the inclusion of RC4's SSLv2 ciphersuites and sending a v2 handshake, OpenSSL is effectively disabling a higher-priority selection. I acknowledge that the tradeoff is a tricky one -- if OpenSSL makes the opposite choice, it will break interop with SSLv2 servers that choke on the handshake. But SSLv2 is known-broken, arguably even worse than RC4. At any rate, I'm not sure this scenario counts as "what you specify is what you get", since the OP specified that they preferred ECDHE-RSA-AES128-SHA256 to RC4 and they didn't get it. I'd rather that OpenSSL respected the user's stated preference here than enable interop with SSLv2 servers. --dkg
signature.asc
Description: OpenPGP digital signature