>From: owner-openssl-us...@openssl.org On Behalf Of Bogdan Harjoc >Sent: Wednesday, 26 September, 2012 12:23
>I'm looking for the reason a server closes a SSL connection unless >I overwrite this cipher id from the ClientHello cipher list: (more exactly, improperly closes during handshake; "close[] SSL" usually means the graceful close with alert.shutdown) >TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) >with a cipher that the server [accepts from browser] > TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) > ... and resend the ClientHello with netcat. >The command I used to get this behavior was: >openssl s_client -connect owa.unige.ch:443 >(as well as variations like -ssl3, -tls1, -cipher SSLv3, -cipher SSLv3+MEDIUM,etc) What version of openssl, and was it built with any options? 0.9.8 shouldn't offer ECC at all by default. 1.0.0 should, but also several other suites prior to ECDHE-RSA-3DES. And 1.0.1 even more unless you turn off TLS1.2. >If I put the 0x0033 cipher anywhere in front of 0xc012, >I get the ServerHello back. >Why should a server abort the handshake depending on the cipher order ? >If the cipher is lower in the list the handshake continues. It probably has bug(s) or misconfiguration. A server *should* skip any cipher suites it can not support (or understand) and select one -- usually the first one -- it can support, and give an alert if there is none. In addition to having code for the algorithms, support requires having a suitable key+cert available (except for aNULL suites, which OpenSSL won't do by default and browsers won't do at all), and for ECC suites having both code and cert for one of the curves, and one of the pointformats, offered by the client. (OpenSSL client offers all standard curves and pointformats.) On some quick tests with 1.0.0i, owa.unige.ch apparently aborts for any ECDH, or EDH-DSS, *or* AES256, only accepting EDH-RSA or akRSA with DES3 or AES128, and *sometimes* it will skip an unsupported suite and get a supported one as it should. >Would disabling that cipher like below be an appropriate workaround ? >My application has to handle "any webserver out there". >SSL_CTX_set_cipher_list(ctx, "DEFAULT:!ECDHE-RSA-DES-CBC3-SHA") If "any webserver" is defined as "anything that answers HTTPS", be prepared to lower your standards quite a bit. Many of the things people put on the internet, and the web, and even more so on some private (business, organization, or home) nets, aren't real servers at all, just quick&dirty interfaces stuck on the side of other things. I suspect some of them are written in Perl, or even Visual Basic. On the other hand, if you want "servers we find on the internet that might be useful", you can probably disable all ECC (in 1.0.0+) and DSS. There are various people doing research on usage of SSL mostly HTTPS on the public net, and the published results I have seen consistently say something like 0.0001% DSS and zero ECC. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org