OpenSSL_add_all_algorithms();
SSL_CTX_set_cipher_list("EXPORT40:EXPORT56:aNULL:eNULL");(Note that that last will enable *every* cipher, including those with no authentication and those with no encryption.) Why would you want to test against incredibly weak -- to comply with US law as it existed back then -- ciphers? -Kyle H On Fri, Oct 9, 2009 at 4:09 AM, Mari <marihoff...@gmail.com> wrote: > Guys, good afternoon! > > > 1) SO' informations > > Server > ------ > CentOS release 5.2 > OpenSSL 0.9.8k 25 Mar 2009 > Apache 2.2 > JBoss-4.2.2 > > Client > ------ > CentOS release 5.2 > OpenSSL 0.9.8b 04 May 2006 (Library: OpenSSL 0.9.8h 28 May 2008) > > > Both have certificate files. > > > 2) Problem and tests > > > I have the system based in comunication between client and server, in this > system is possible send commands from the server to the client, for example, > send log files - And the files from the cliente are sending to the server. > > But, I have had some problems with the OpenSSL. I think that the problem is > the OpenSSL, because before some errors, I tried to communicate the server > with the client only with OpenSSL (the command below) : > > openssl s_client -debug -msg -ssl3 -connect 192.168.13.57:60002 > --------------------------------------------------------------- > CONNECTED(00000003) > write to 0x8738c20 [0x87518a0] (94 bytes => 94 (0x5E)) > 0000 - 16 03 00 00 59 01 00 00-55 03 00 4a ce 18 7c 78 ....Y...U..J..|x > 0010 - 4f a4 1e f0 17 58 7a a8-8d ec a7 d0 0f 86 b8 68 O....Xz........h > 0020 - 2e 86 1f d6 c5 6c ca 4f-51 15 64 00 00 28 00 39 .....l.OQ.d..(.9 > 0030 - 00 38 00 35 00 16 00 13-00 0a 00 33 00 32 00 2f .8.5.......3.2./ > 0040 - 00 07 00 05 00 04 00 15-00 12 00 09 00 14 00 11 ................ > 0050 - 00 08 00 06 00 03 01 00-00 04 00 23 ...........# > 005e - <SPACES/NULS> >>>> SSL 3.0 Handshake [length 0059], ClientHello > 01 00 00 55 03 00 4a ce 18 7c 78 4f a4 1e f0 17 > 58 7a a8 8d ec a7 d0 0f 86 b8 68 2e 86 1f d6 c5 > 6c ca 4f 51 15 64 00 00 28 00 39 00 38 00 35 00 > 16 00 13 00 0a 00 33 00 32 00 2f 00 07 00 05 00 > 04 00 15 00 12 00 09 00 14 00 11 00 08 00 06 00 > 03 01 00 00 04 00 23 00 00 > read from 0x8738c20 [0x874d090] (5 bytes => -1 (0xFFFFFFFF)) > write:errno=104 > > openssl s_client -debug -msg -ssl2 -connect 192.168.13.57:60002 > --------------------------------------------------------------- > CONNECTED(00000003) > write to 0x8945d90 [0x895c729] (48 bytes => 48 (0x30)) > 0000 - 80 2e 01 00 02 00 15 00-00 00 10 07 00 c0 05 00 ................ > 0010 - 80 03 00 80 01 00 80 06-00 40 04 00 80 02 00 80 .........@...... > 0020 - 06 c8 b3 16 3f fb a8 85-75 8c aa 90 9a a1 db 8c ....?...u....... >>>> SSL 2.0 [length 002e], CLIENT-HELLO > 01 00 02 00 15 00 00 00 10 07 00 c0 05 00 80 03 > 00 80 01 00 80 06 00 40 04 00 80 02 00 80 06 c8 > b3 16 3f fb a8 85 75 8c aa 90 9a a1 db 8c > read from 0x8945d90 [0x8954720] (2 bytes => -1 (0xFFFFFFFF)) > write:errno=104 > > > openssl s_client -debug -msg -ssl3 -connect 192.168.13.57:443 > ------------------------------------------------------------- > connect: Connection refused > connect:errno=29 > > > openssl s_client -debug -msg -ssl2 -connect 192.168.13.57:443 > ------------------------------------------------------------- > connect: Connection refused > connect:errno=29 > > Error : Apache > -------------- > [Thu Oct 08 17:12:39 2009] [debug] ssl_engine_kernel.c(1770): OpenSSL: > Write: SSL negotiation finished successfully > [Thu Oct 08 17:12:39 2009] [info] [client 192.168.13.57] SSL library error 1 > reading data > [Thu Oct 08 17:12:39 2009] [info] SSL Library Error: 336130329 > error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record > mac > [Thu Oct 08 17:12:39 2009] [debug] ssl_engine_kernel.c(1770): OpenSSL: > Write: SSL negotiation finished successfully > [Thu Oct 08 17:12:39 2009] [info] [client 192.168.13.57] Connection closed > to child 0 with standard shutdown (server sslejmtransfer.hst.br:443) > > > There are a diference between the OpenSSL Client and Server, version and > ciphers : > - I tried changing the version of the OpenSSL on the server, but even > changing it, the error didn't change. > - My keys are 1024, and I saw that there are a diference between the ciphers > on the server and client. Below, we can see that there are 5 ciphers > disabled on the server (include/openssl/tls1.h), don't appear on the list > (openssl ciphers -v). > > Server > ------ > DHE-RSA-AES256-SHA > DHE-DSS-AES256-SHA > AES256-SHA > EDH-RSA-DES-CBC3-SHA > EDH-DSS-DES-CBC3-SHA > DES-CBC3-SHA > DES-CBC3-MD5 > DHE-RSA-AES128-SHA > DHE-DSS-AES128-SHA > AES128-SHA > IDEA-CBC-SHA > IDEA-CBC-MD5 > RC2-CBC-MD5 > RC4-SHA > RC4-MD5 > RC4-MD5 > EDH-RSA-DES-CBC-SHA > EDH-DSS-DES-CBC-SHA > DES-CBC-SHA > DES-CBC-MD5 > EXP-EDH-RSA-DES-CBC-SHA > EXP-EDH-DSS-DES-CBC-SHA > EXP-DES-CBC-SHA > EXP-RC2-CBC-MD5 > EXP-RC2-CBC-MD5 > EXP-RC4-MD5 > EXP-RC4-MD5 > > Client > ------ > TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA > TLS_RSA_EXPORT1024_WITH_RC4_56_SHA > TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA > TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA > TLS_DHE_DSS_WITH_RC4_128_SHA > > tls1.h > ------ > tls1.h:#define TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5 0x03000060 > tls1.h:#define TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 0x03000061 > tls1.h:#define TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA 0x03000062 > tls1.h:#define TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA 0x03000063 > tls1.h:#define TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA 0x03000064 > tls1.h:#define TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA 0x03000065 > tls1.h:#define TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_MD5 > "EXP1024-RC4-MD5" > tls1.h:#define TLS1_TXT_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 > "EXP1024-RC2-CBC-MD5" > tls1.h:#define TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA > "EXP1024-DES-CBC-SHA" > tls1.h:#define TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA > "EXP1024-DHE-DSS-DES-CBC-SHA" > tls1.h:#define TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_SHA > "EXP1024-RC4-SHA" > tls1.h:#define TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA > "EXP1024-DHE-DSS-RC4-SHA" > > > > I want to do the test with these ciphers. So, I NEED TO KNOW HOW I CAN > ENABLE THESE CIPHERS? > > Somone can help me??? > > Thanks for your attetion and help. > > Best regards, > Mariana Hoffart Dias > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
