Re: [openssl-dev] 1.1.0 pre5 seems to ignore CIPHER_SERVER_PREFERENCE

[Viktor Dukhovni]

> On May 26, 2016, at 9:44 AM, Angus Robertson - Magenta Systems Ltd 
>  wrote:
> 
> I have two custom Windows web sites, running released and beta versions
> of OpenSSL.  The beta version only gets an A- score with SSL Labs,
> whereas the release version gets A+.  
> 
> https://www1.telecom-tariffs.co.uk/serverinfo.htm
> 
> shows server status, and that it's running OpenSSL 1.1.0-pre5 (beta) 19
> Apr 2016, SSL Labs says: 'Cipher Suites (sorted by strength as the
> server has no preference;)  The server does not support Forward Secrecy
> with the reference browsers. Grade reduced to A-.'
> 
> https://www.telecom-tariffs.co.uk/serverinfo.htm
> 
> is the main live server running OpenSSL 1.0.2h 3 May 2016, and gets a
> score A+ saying 'Cipher Suites (SSL 3+ suites in server-preferred
> order)'.

Sites like SSL Labs sometimes have bugs, and also your server configuration
may lack DHE or ECDHE parameters.  In any case, OpenSSL 1.1.0 beta does support
server preference, and I don't think any recent commits either broke or fixed
this.

Testing against with Postfix compiled against HEAD I see:

   # postconf -e "tls_preempt_cipherlist = no"
   # postfix reload
   postfix/postfix-script: refreshing the Postfix mail system

   # posttls-finger -Lsummary -lencrypt -c -o "tls_medium_cipherlist = 
AES128-SHA:AES256-SHA" "[localhost]:25"
   posttls-finger: Untrusted TLS connection established to 
localhost[127.0.0.1]:25: TLSv1.2 with cipher AES128-SHA (128/128 bits)

   # postconf -e "tls_preempt_cipherlist = yes"
   # postfix reload
   postfix/postfix-script: refreshing the Postfix mail system
   # posttls-finger -Lsummary -lencrypt -c -o "tls_medium_cipherlist = 
AES128-SHA:AES256-SHA" "[localhost]:25"
   posttls-finger: Untrusted TLS connection established to 
localhost[127.0.0.1]:25: TLSv1.2 with cipher AES256-SHA (256/256 bits)

Which shows the server preference in effect for the second connection (AES256 
used despite client's preference for AES128).

-- 
Viktor.

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] 1.1.0 pre5 seems to ignore CIPHER_SERVER_PREFERENCE

[Angus Robertson - Magenta Systems Ltd]

I have two custom Windows web sites, running released and beta versions
of OpenSSL.  The beta version only gets an A- score with SSL Labs,
whereas the release version gets A+.  

https://www1.telecom-tariffs.co.uk/serverinfo.htm

shows server status, and that it's running OpenSSL 1.1.0-pre5 (beta) 19
Apr 2016, SSL Labs says: 'Cipher Suites (sorted by strength as the
server has no preference;)  The server does not support Forward Secrecy
with the reference browsers. Grade reduced to A-.'

https://www.telecom-tariffs.co.uk/serverinfo.htm

is the main live server running OpenSSL 1.0.2h 3 May 2016, and gets a
score A+ saying 'Cipher Suites (SSL 3+ suites in server-preferred
order)'. 

The application is identical with CIPHER_SERVER_PREFERENCE specified
and a Mozilla intermediate cipher list (shown on the status page), but
SSL Labs suggests there is no server preference so forward security
ciphers are not prioritised. 

The OpenSSL implementation is for Windows Embarcadero Delphi and the
free ICS internet component suite which I support, it uses our own
Pascal version of the OpenSSL C header files, originally created 10
years ago and updated for each new OpenSSL release, so there is a risk
we might miss subtle header changes like constants changing.

I realise pre5 is a month old, but can not see this issued raised in
the last month.   

Angus
 


-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev