Hi,
I'm finally catching up and updating our OPENSSL *.dll distribution
with the latest build (0.9.8i). We had 0.9.8a (2006 time frame)
The main reason is because we got inquiries regarding AES and SSL3 and
cipher suites.
I am trying to recall all our work, but I thought we had server
support for this already by allowing the server operator to set the
cipher suite in his ssl host setup to:
ALL:!ADH:RC4+RSA:+SSLv3:@STRENGTH
Based on my compile of 0.9.8i, comparing the output of
openssl ciphers
for both 0.9.8a and 0.9.8i and I see that in the latest, there were
some ciphers removed:
DHE-RSA-AES256-SHA:
DHE-DSS-AES256-SHA:
AES256-SHA:
EDH-RSA-DES-CBC3-SHA:
EDH-DSS-DES-CBC3-SHA:
DES-CBC3-SHA:
DES-CBC3-MD5:
DHE-RSA-AES128-SHA:
DHE-DSS-AES128-SHA:
AES128-SHA:
IDEA-CBC-SHA:
IDEA-CBC-MD5:
RC2-CBC-MD5:
DHE-DSS-RC4-SHA: removed in 0.9.8i
RC4-SHA:
RC4-MD5:
RC4-MD5:
RC4-64-MD5: removed in 0.9.8i
EXP1024-DHE-DSS-DES-CBC-SHA: removed in 0.9.8i
EXP1024-DES-CBC-SHA: removed in 0.9.8i
EXP1024-RC2-CBC-MD5: removed in 0.9.8i
EDH-RSA-DES-CBC-SHA:
EDH-DSS-DES-CBC-SHA:
DES-CBC-SHA:
DES-CBC-MD5:
EXP1024-DHE-DSS-RC4-SHA: removed in 0.9.8i
EXP1024-RC4-SHA: removed in 0.9.8i
EXP1024-RC4-MD5: removed in 0.9.8i
EXP-EDH-RSA-DES-CBC-SHA:
EXP-EDH-DSS-DES-CBC-SHA:
EXP-DES-CBC-SHA:
EXP-RC2-CBC-MD5:
EXP-RC2-CBC-MD5:
EXP-RC4-MD5:
EXP-RC4-MD5
I am wondering if someone can give a synopsis or summary of what are
the operation changes here and what this means in terms of AES and
SSL3 support. Is the cipher suite we have by default sufficient for
SSL3 and AES? even for the old distribution?
Thanks
-- Hector
Dr. Stephen Henson wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
OpenSSL version 0.9.8i released
===============================
OpenSSL - The Open Source toolkit for SSL/TLS
http://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 0.9.8i of our open source toolkit for SSL/TLS. This new
OpenSSL version is a bugfix release. For a complete list of changes,
please see
http://www.openssl.org/source/exp/CHANGES.
We consider OpenSSL 0.9.8i to be the best version of OpenSSL
available and we strongly recommend that users of older versions
upgrade as soon as possible. OpenSSL 0.9.8i is available for
download via HTTP and FTP from the following master locations (you
can find the various FTP mirrors under
http://www.openssl.org/source/mirror.html):
* http://www.openssl.org/source/
* ftp://ftp.openssl.org/source/
The distribution file names are:
o openssl-0.9.8i.tar.gz
Size: 3459643
MD5 checksum: 561e00f18821c74b2b86c8c7786f9d8b
SHA1 checksum: b2e029cfb68bf32eae997d60317a40945db5a65f
The checksums were calculated using the following commands:
openssl md5 openssl-0.9.*.tar.gz
openssl sha1 openssl-0.9.*.tar.gz
Yours,
The OpenSSL Project Team...
Mark J. Cox Nils Larsch Ulf Möller
Ralf S. Engelschall Ben Laurie Andy Polyakov
Dr. Stephen Henson Richard Levitte Geoff Thorpe
Lutz Jänicke Bodo Möller
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBSM6ELKLSm3vylcdZAQK7iAf/TxmJX1NjHiAir4Ottmw6Ny/NR0HFRVdt
5Goxh7YEdLjsSV1npXQR18Go12RL8H0/6fLMWTPRRsFWn1GMRkjeXl0OTL/Tj2qN
XV8zqzaCs6JdzSTAKvC8qpcrOA1anMBhlrtuLpdDL+G8kZWDbVmfKV9HHg5Y9wOE
xpMlhCsPZiinktz8ZvVCzI2SjKKLeCL3YPXLfA5EitBVK+lTlxXuWEpYx+OJqxaK
NavqXIXX0J3hhxpksuYgt2Q6lmjS97byvc7UIzfVe+0CRt9RTpCSzrtKwCsB1BbU
bb2eGCxgGPrGZNrJ4GOQ7lCO9PP3MVHhH2Hqd2s8Ji56jbKQqELuIw==
=l5W6
-----END PGP SIGNATURE-----
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Announcement Mailing List openssl-annou...@openssl.org
Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
