On 08/29/2014 08:16 AM, Tomas Mraz wrote: > On Pá, 2014-08-29 at 16:19 +0200, Frank Meier wrote: >> While testing different ciphersuites I found a quite drastic change in >> the behavior between openssl version 1.0.1h to 1.0.1i. While using a >> cipherlist like "ECDHE-RSA-AES128-SHA256:RC4" with 1.0.1h the >> "ECDHE-RSA-AES128-SHA256" cipher is used. With 1.0.1i uses "RC4-SHA".
> This happens because you use specification of cipherlist that does not
> make sense - that is with the RC4 you add also SSLv2 ciphers to the
> cipher list and simultaneously you add only EC based cipher in addition.
> With SSLv2 client hello the supported curves extension cannot be sent
> and thus the EC based ciphers must not be sent as well. If there was for
> example DHE-RSA-AES128-GCM-SHA256 in the cipher list, it would be
> correctly sent in the hello and chosen for the connection. I can't see
> anyone using such specification in real world.
>
> Basically what you specify is what you get.
the CipherSuite list that Frank posted clearly indicated his preference
for ECDHE-RSA-AES128-SHA256 ahead of RC4.
By "respecting" the inclusion of RC4's SSLv2 ciphersuites and sending a
v2 handshake, OpenSSL is effectively disabling a higher-priority
selection. I acknowledge that the tradeoff is a tricky one -- if
OpenSSL makes the opposite choice, it will break interop with SSLv2
servers that choke on the handshake. But SSLv2 is known-broken,
arguably even worse than RC4.
At any rate, I'm not sure this scenario counts as "what you specify is
what you get", since the OP specified that they preferred
ECDHE-RSA-AES128-SHA256 to RC4 and they didn't get it. I'd rather that
OpenSSL respected the user's stated preference here than enable interop
with SSLv2 servers.
--dkg
signature.asc
Description: OpenPGP digital signature
