Re: OpenSSL ASN.1 Vulnerability
Hello, I tried with openssl s_client but i cant get any OpenSSL version information back. Is there some easy ways of determine if the remote service is vulnerable or can you ensure that the versions which is older than 0.9.6k or 0.9.7c are not vulnerable. SSL server do not send back version information. I am running the following version: OpenSSL version OpenSSL 0.9.7e-p1 25 Oct 2004 OpenSSL exit It might be that the application that we have testing is using statically linked libraries and i need to investigate that, i just wanted to check with you guys if there where a way of checking this remotely. Yes, but this vulnerability can be check if server requests client authentication (client sends his certificate which is parsed by server). Simple blinking bit test is enough to check this. You may write simple program which will sequentially connect to your server and in each connection, at SSL Record Layer, you modify one bit of client Certificate packet send to server. After few connection you will get server core dump for OpenSSL 0.9.7b (but not for OpenSSL 0.9.7c). Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: error:0906D06C:PEM routines
Hello, Thanks for the tip. But I still can't sign a Certificate Request. opensssl first asked for dir serial. I mkdir'd it, then it complains about not being able to load a serial number. jfd This looks like not properly setup CA infrastructure. Look at CA.pl script (man CA.pl) to get some details on setting new CA. Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: openssl with non-blocking comms
There is aexmple implemtation of usage ofbio_pairs in ssltest.c file includedwith the ssl distribution. This should give you a goodidea about how to use them properly.I too took that sameimplemetion from ssltest.cand wrapedit ina class for my IOCP serverwithout too much of a trouble. Regards, Usman. From:"terry johnston" [EMAIL PROTECTED]Reply-To:openssl-users@openssl.orgTo:openssl-users@openssl.orgSubject:openssl with non-blocking commsDate:Mon, 29 Jan 2007 13:16:00 -0800MIME-Version:1.0X-Sender:"terry johnston" [EMAIL PROTECTED]Received:from mmx1.engelschall.com ([195.30.6.154]) by bay0-mc4-f2.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444); Mon, 29 Jan 2007 13:50:04 -0800Received:by mmx1.engelschall.com (Postfix)id 7192B5642D; Mon, 29 Jan 2007 22:48:41 +0100 (CET)Received:from master.openssl.org (master.openssl.org [195.30.6.166])by mmx1.engelschall.com (Postfix) with ESMTP id 67E1F56417for [EMAIL PROTECTED]; Mon, 29 Jan 2007 22:48:41 +0100 (CET)Received:by master.openssl.org (Postfix)id 0838E1AC60CB; Mon, 29 Jan 2007 22:48:41 +0100 (CET)Received:by master.openssl.org (Postfix, from userid 29101)id E3E701AC60B6; Mon, 29 Jan 2007 22:48:40 +0100 (CET)Received:from out4.smtp.messagingengine.com (out4.smtp.messagingengine.com [66.111.4.28])by master.openssl.org (Postfix) with ESMTP id 1D7371AC6078for openssl-users@openssl.org; Mon, 29 Jan 2007 22:48:29 +0100 (CET)Received:from out1.internal (unknown [10.202.2.149])by out1.messagingengine.com (Postfix) with ESMTP id E04C19869Cfor openssl-users@openssl.org; Mon, 29 Jan 2007 16:16:00 -0500 (EST)Received:from web1.messagingengine.com ([10.202.2.210]) by out1.internal (MEProxy); Mon, 29 Jan 2007 16:16:00 -0500Received:by web1.messagingengine.com (Postfix, from userid 99)id C7A142828C; Mon, 29 Jan 2007 16:16:00 -0500 (EST)Hello All. I am trying to implement openssl with a server that uses aneventnotification library under Linux. I am using bio pairs to separate thenon-blockingcomms from the ssl layer. I am currently not able to get past the firstSSL_accept() call.Each new client connection does the following...- gets accepted normally- creates a bio pair- sets up read write event notification- receives a read notification - reads data adds it to the network biousing BIO_write()- does a SSL_accept(), which returns -1- calls SSL_get_error(), which returns 111 - "not yet implemented"?- calls BIO_ctrl_pending() on the network bio, which shows there isnothing to get (presume I would call a BIO_read() to get any data foron-sending)- adds another read event notification but nothing arriveswhat am I doing wrong?!thank you in advanceTerry Johnston-- terry johnston [EMAIL PROTECTED]__OpenSSL Project http://www.openssl.orgUser Support Mailing Listopenssl-users@openssl.orgAutomated List Manager [EMAIL PROTECTED]Don't just search. Find. MSN Search Check out the new MSN Search! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: TLS1_SETUP_KEY_BLOCK:cipher or hash unavailable problem on Solaris 10
On Mon, Jan 29, 2007 at 04:53:50PM -0500, Victor Duchovni wrote: Sun builds libcrypto with AES128 support, but without AES256 support. And attempts to paper-over the problem with a custom DEFAULT cipherlist, (but COMPLEMENTOFDEFAULT is wrong, and ALL and HIGH are not usable). When ALL is used instead of DEFAULT, libssl believes that AES256 is present because AES128 is present: ssl_cipher_get_disabled(): mask |= (ssl_cipher_methods[SSL_ENC_AES128_IDX] == NULL) ? SSL_AES:0; there is no separate probe for AES256, and no dedicated mask bit to tell the two apart. but I would like to find out whether this problem: - is likely to be resolved for AES256 in future OpenSSL releases (by separately testing for disabled AES256 and AES128, and not mixing AES128 in with the HIGH ciphers). - is not likely to be repeated with other ciphers in future OpenSSL releases (by ensuring that ssl_cipher_get_disabled() is not fuzzy and masks out all symmetric ciphers that are not available). Is this the wrong forum for this type of question? I just downloaded the 0.9.9 20070125 snapshot, and found the AES 128 vs AES 256 trap is now possible also with CAMELLIA. If Sun or another distributor again chooses to only implement the 128 bit and not the 256 bit cipher, the disabled algorithm filter will once again break. $ egrep -n AES ssl_ciph.c 154:#define SSL_ENC_AES128_IDX 6 155:#define SSL_ENC_AES256_IDX 7 244:{0,SSL_TXT_AES, 0,SSL_AES, 0,0,0,0,SSL_ENC_MASK,0}, 289:ssl_cipher_methods[SSL_ENC_AES128_IDX]= 291:ssl_cipher_methods[SSL_ENC_AES256_IDX]= 407:case SSL_AES: 410:case 128: i=SSL_ENC_AES128_IDX; break; 411:case 256: i=SSL_ENC_AES256_IDX; break; 515:mask |= (ssl_cipher_methods[SSL_ENC_AES128_IDX] == NULL) ? SSL_AES:0; 1223: case SSL_AES: 1226: case 128: enc=AES(128); break; 1227: case 192: enc=AES(192); break; 1228: case 256: enc=AES(256); break; 1229: default: enc=AES(???); break; $ egrep -ni CAMELLIA ssl_ciph.c 156:#define SSL_ENC_CAMELLIA128_IDX 8 157:#define SSL_ENC_CAMELLIA256_IDX 9 245:{0,SSL_TXT_CAMELLIA,0,SSL_CAMELLIA, 0,0,0,0,SSL_ENC_MASK,0}, 293:ssl_cipher_methods[SSL_ENC_CAMELLIA128_IDX]= 294: EVP_get_cipherbyname(SN_camellia_128_cbc); 295:ssl_cipher_methods[SSL_ENC_CAMELLIA256_IDX]= 296: EVP_get_cipherbyname(SN_camellia_256_cbc); 415:case SSL_CAMELLIA: 418:case 128: i=SSL_ENC_CAMELLIA128_IDX; break; 419:case 256: i=SSL_ENC_CAMELLIA256_IDX; break; 516:mask |= (ssl_cipher_methods[SSL_ENC_CAMELLIA128_IDX] == NULL) ? SSL_CAMELLIA:0; 1232: case SSL_CAMELLIA: 1235: case 128: enc=Camellia(128); break; 1236: case 256: enc=Camellia(256); break; 1237: default: enc=Camellia(???); break; 0.9.9 introduces: ADH-CAMELLIA256-SHA DHE-RSA-CAMELLIA256-SHA DHE-DSS-CAMELLIA256-SHA CAMELLIA256-SHA ADH-CAMELLIA128-SHA DHE-RSA-CAMELLIA128-SHA DHE-DSS-CAMELLIA128-SHA CAMELLIA128-SHA and it is possible to get handshake failures from/with systems that implement only the weaker cipher grade in the CAMELLIA family. Even if distributions *should not* implement only a subset of the ciphers in a family, they likely will, and I am hoping that the library can be more defensive in the face of partially implemented cipher families in libcrypto. Is this the right forum? I want to make that Postfix 2.4 is still correct when OpenSSL 0.9.9 is released, and I am reluctant to augment the AES-256 work-around with a Camellia-256 work-around, ... I am looking for a more systematic solution, ideally in the OpenSSL library. Can ssl_cipher_get_disabled() be enhanced to distinguish between AES-128 and AES-256 or Camellia-128 and Camellia-256? -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
session caching with multiple threads
Hello all, I am doing, in C language, a SSL client with openSSL 0.9.7g I have multiple clients (about 10) using the same SSL_CTX and connecting to 2 different servers. (5 clients on each for example). I wonder how SSL_get_session, SSL_set_session ans SSL_SESSION_free have to be used there. What I did was about (for each client): if (session for server A in cache) { SSL_set_session(ssl, session) SSL_SESSION_free(session) } if (SSL_connect (ssl) == OK) session = SSL_get1_session(ssl) SSL_shutdown (ssl) But I fear problems with other threads : - will memory be freed when one client does a new handshake ? - will session be kept as it is valid ? Please help :) Ce message et toutes les pièces jointes sont confidentiels et établis a l'intention exclusive de ses destinataires. Toute modification, édition, utilisation ou diffusion non autorisée est interdite. Tout message électronique est susceptible d'altération. CXR Anderson Jacobson décline toute responsabilité au titre de ce message s'il a été altéré, déformé, falsifié, édité ou diffusé sans autorisation. This message and any attachments are confidential and intended solely for the addressees. Any unauthorised alteration, printing, use or dissemination is prohibited. E-mails are susceptible to alteration. CXR Anderson Jacobson shall not be liable for the message if altered, changed, falsified, printed or disseminated without authorisation. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: openssl with non-blocking comms
Terry I ran into same problem a while ago. I had a blocking server, waiting for client to connect. I had non-blocking client connected to server, It never pass SSL_connect(). I changed non-blocking to blocking I/O BEFORE I called SSL_connect(). It worked fined. It seem to me you need to using blocking socket for SSL_connect to sit there to exchange all the certificate,ciphes You can use non-blocking socket for SSL_connect, but you have to put into a loop to call SSL_connect again after you received SSL_WANt_READ or SSL_Want _write. I hopes it help. TD -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of terry johnston Sent: Monday, January 29, 2007 16:16 To: openssl-users@openssl.org Subject: openssl with non-blocking comms Hello All. I am trying to implement openssl with a server that uses an event notification library under Linux. I am using bio pairs to separate the non-blocking comms from the ssl layer. I am currently not able to get past the first SSL_accept() call. Each new client connection does the following... - gets accepted normally - creates a bio pair - sets up read write event notification - receives a read notification - reads data adds it to the network bio using BIO_write() - does a SSL_accept(), which returns -1 - calls SSL_get_error(), which returns 111 - not yet implemented? - calls BIO_ctrl_pending() on the network bio, which shows there is nothing to get (presume I would call a BIO_read() to get any data for on-sending) - adds another read event notification but nothing arrives what am I doing wrong?! thank you in advance Terry Johnston -- terry johnston [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: openssl with non-blocking comms
hello Thao Thank you for trying but no, this does not help. If you want to build a single threaded scalable server using nonblocking i/o, you need to use exclusively nonblocking i/o. You can't conveniently block on one connection while it sorts itself out, as you put the other connections temporarily out of action. This is fine on a single connection server, but not if you want to support lots of connections. Thanks anyway. Terry On Tue, 30 Jan 2007 14:11:42 -0600, Dinh, Thao V CIV NSWCDD, K72 [EMAIL PROTECTED] said: Terry I ran into same problem a while ago. I had a blocking server, waiting for client to connect. I had non-blocking client connected to server, It never pass SSL_connect(). I changed non-blocking to blocking I/O BEFORE I called SSL_connect(). It worked fined. It seem to me you need to using blocking socket for SSL_connect to sit there to exchange all the certificate,ciphes You can use non-blocking socket for SSL_connect, but you have to put into a loop to call SSL_connect again after you received SSL_WANt_READ or SSL_Want _write. I hopes it help. TD -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of terry johnston Sent: Monday, January 29, 2007 16:16 To: openssl-users@openssl.org Subject: openssl with non-blocking comms Hello All. I am trying to implement openssl with a server that uses an event notification library under Linux. I am using bio pairs to separate the non-blocking comms from the ssl layer. I am currently not able to get past the first SSL_accept() call. Each new client connection does the following... - gets accepted normally - creates a bio pair - sets up read write event notification - receives a read notification - reads data adds it to the network bio using BIO_write() - does a SSL_accept(), which returns -1 - calls SSL_get_error(), which returns 111 - not yet implemented? - calls BIO_ctrl_pending() on the network bio, which shows there is nothing to get (presume I would call a BIO_read() to get any data for on-sending) - adds another read event notification but nothing arrives what am I doing wrong?! thank you in advance Terry Johnston -- terry johnston [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- terry johnston [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: openssl with non-blocking comms
Terry On the client side, I convert back from blocking socket to n0n-blocking socket after successfully calling SSL_connect. On the server side, I call accept(). After accept return socket, put ssl on this socket, then call SSL_accept(). If SSL_accept() successes, spin off a thread to handle this new connection. This new connection can be change to non-blocking if you want too. So one client will be handle by one thread from server. I hope it help. TD -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of terry johnston Sent: Tuesday, January 30, 2007 15:43 To: openssl-users@openssl.org Subject: RE: openssl with non-blocking comms hello Thao Thank you for trying but no, this does not help. If you want to build a single threaded scalable server using nonblocking i/o, you need to use exclusively nonblocking i/o. You can't conveniently block on one connection while it sorts itself out, as you put the other connections temporarily out of action. This is fine on a single connection server, but not if you want to support lots of connections. Thanks anyway. Terry On Tue, 30 Jan 2007 14:11:42 -0600, Dinh, Thao V CIV NSWCDD, K72 [EMAIL PROTECTED] said: Terry I ran into same problem a while ago. I had a blocking server, waiting for client to connect. I had non-blocking client connected to server, It never pass SSL_connect(). I changed non-blocking to blocking I/O BEFORE I called SSL_connect(). It worked fined. It seem to me you need to using blocking socket for SSL_connect to sit there to exchange all the certificate,ciphes You can use non-blocking socket for SSL_connect, but you have to put into a loop to call SSL_connect again after you received SSL_WANt_READ or SSL_Want _write. I hopes it help. TD -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of terry johnston Sent: Monday, January 29, 2007 16:16 To: openssl-users@openssl.org Subject: openssl with non-blocking comms Hello All. I am trying to implement openssl with a server that uses an event notification library under Linux. I am using bio pairs to separate the non-blocking comms from the ssl layer. I am currently not able to get past the first SSL_accept() call. Each new client connection does the following... - gets accepted normally - creates a bio pair - sets up read write event notification - receives a read notification - reads data adds it to the network bio using BIO_write() - does a SSL_accept(), which returns -1 - calls SSL_get_error(), which returns 111 - not yet implemented? - calls BIO_ctrl_pending() on the network bio, which shows there is nothing to get (presume I would call a BIO_read() to get any data for on-sending) - adds another read event notification but nothing arrives what am I doing wrong?! thank you in advance Terry Johnston -- terry johnston [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- terry johnston [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
BIO Data access problem with OpenSSL 0.9.8d
Greetings everyone: We're using OpenSSL for TLS client/server authentication, implement via EAP-FAST protocol. We are seeing odd output when doing the tunnel establishment phase( tls full client side auth handshake) on the client side. Details are: a. we set the ciphersuite to TLS_DH_anon_WITH_AES_128_CBC_SHA (anonymous provisioning) b. send correctly the ClientHello with the above ciphersuite. c. server sends correctly back the server hello, accepting the ciphersuite.(ServerHello,ServerKeyExchange,ServerHeloDone) d. after parsing the response from server, client responds with a ACK for the serverHelo frame. More in-depth description: We have the following structures for keepind data: mytls_vars-ctx = SSL_CTX_new(TLSv1_method()); mytls_vars-ssl = SSL_new(mytls_vars-ctx); mytls_vars-ssl_in = BIO_new(BIO_s_mem()); mytls_vars-ssl_out = BIO_new(BIO_s_mem()); SSL_set_bio(mytls_vars-ssl, mytls_vars-ssl_in, mytls_vars- ssl_out); At point d, we try to get the response like this: (ssl3_connect()) BIO_get_mem_ptr(mytls_vars-ssl_out, retData); mytls_vars-tlsoutdata = retData-data; mytls_vars-tlsoutsize = retData-length; We see that retData-length is zero. Digging deeper, and looking at the ((BIO_F_BUFFER_CTX*)mytls_vars-ssl- wbio-ptr)-obuf pointer we can see here, all the response frames buffered that should be sent instead of ACK. (ClientKeyExchange,ChangeCipherSpec,EncrHandshake) After we prepare the response for point c, we have the following responses for BIO_pending ( mytls_vars-ssl_out) = 0; BIO_wpending ( mytls_vars-ssl_out) = 0; BIO_pending ( mytls_vars-ssl-wbio ) = 0; BIO_wpending ( mytls_vars-ssl-wbio ) = 326; 326 is the size of the data that should have been sent and dumping memory at the obuf from wbio-ptr, the response is clearly indicating the 3 tls records (ClientKeyExchange,ChangeCipherSpec,EncrHandshake) All the links between mytls_vars-ssl-wbio and mytls_vars-ssl_out seem to be correctly set, i.e: wbio-next = ssl_out. ssl_out-next = NULL; ssl_out-prev = wbio. The same behavior happens if we skip step a (set of cipher suite) and let server choose. Any help on the above would be highly appreciated. -Areg
Re: openssl with non-blocking comms
On Tue, Jan 30, 2007, Dinh, Thao V CIV NSWCDD, K72 wrote: Terry I ran into same problem a while ago. I had a blocking server, waiting for client to connect. I had non-blocking client connected to server, It never pass SSL_connect(). I changed non-blocking to blocking I/O BEFORE I called SSL_connect(). It worked fined. It seem to me you need to using blocking socket for SSL_connect to sit there to exchange all the certificate,ciphes You can use non-blocking socket for SSL_connect, but you have to put into a loop to call SSL_connect again after you received SSL_WANt_READ or SSL_Want _write. You don't actually need to do that at all if the retry code is written correctly. The socket can remain non blocking throughout. In fact it is possible to have the socket non-blocking before it even connects if the appropriate BIO is used. There is an example of this with a connect BIO in the ocsp utility in OpenSSL 0.9.9. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
File format's name
Hi, sorry, please let me ask this question: The ASCII files OpenSSL produces all look like BEGIN CERTIFICATE ... END CERTIFICATE Is the number of dashes reliably 4? And what is the name of this file format? A customer asks me to send the certificate without these surrounding lines. You will understand it's almost impossible googling for that. Thanks in advance. Bertram -- Bertram Scharpf Stuttgart, Deutschland/Germany http://www.bertram-scharpf.de __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: File format's name
Hi, sorry, please let me ask this question: The ASCII files OpenSSL produces all look like BEGIN CERTIFICATE ... END CERTIFICATE Is the number of dashes reliably 4? And what is the name of this file format? Yes. PEM. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
SSL_ERROR_SYSCALL, nonblocking sockets and EWOULDBLOCK
I have what I hope to be a relatively simple question regarding SSL_read/write/etc operations on nonblocking sockets, and the errors they return. I would like to preface this by saying that I have spent hours scouring google and also searching the archives and I haven't really found an answer, so please don't flame me! With that said - I'm setting up my sockets to be nonblocking, and then doing the following to set up my ssl objects (relevant code only): toClientSSL = SSL_new(ctx); toClientBIO = BIO_new_socket(inSock, BIO_CLOSE); // inSock is nonblocking SSL_set_bio(toClientSSL, toClientBIO, toClientBIO); Sometimes a SSL_read() operation on toClientSSL will return 0, and SSL_get_error yields SSL_ERROR_SYSCALL, and if I look at errno (from errno.h) it's set to EWOULDBLOCK. I had thought that if something was going to block, SSL_get_error would return either SSL_ERROR_WANT_READ or _WRITE. I was handling those two errors, but I was just assuming that SSL_ERROR_SYSCALL would only come up for things like premature closing of the socket, and other similar rather fatal errors. Is this the correct behavior (that it's reported as SYSCALL rather than _WANT_READ etc...)? Thanks in advance, and I'm sorry if this seems like a trivial question, but I honestly have been looking all over for an answer. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: TLS1_SETUP_KEY_BLOCK:cipher or hash unavailable problem on Solaris 10
On Tue, Jan 30, 2007 at 10:24:21AM -0500, Victor Duchovni wrote: Is this the right forum? I want to make that Postfix 2.4 is still correct when OpenSSL 0.9.9 is released, and I am reluctant to augment the AES-256 work-around with a Camellia-256 work-around, ... I am looking for a more systematic solution, ideally in the OpenSSL library. Can ssl_cipher_get_disabled() be enhanced to distinguish between AES-128 and AES-256 or Camellia-128 and Camellia-256? Very simple patch below, when filtering actual ciphers test 256 bit ciphers against a 256bit variant of the disabled cipher mask, and all other ciphers against the regular mask. When filtering cipher aliases, only disable aliases that fail both masks. Fullly binary compatible, no externally visible changes, no consumption of algorithm bitmask slots, ... I am hoping this can be adopted for 0.9.9 and any future 0.9.8e or 0.9.7m release. I am also hoping for some feedback. :-) Tested by explicitly setting: ssl_cipher_methods[SSL_ENC_AES128_IDX]= #ifndef TEST_MASK256 EVP_get_cipherbyname(SN_aes_128_cbc); #else 0; #fi ssl_cipher_methods[SSL_ENC_AES256_IDX]= EVP_get_cipherbyname(SN_aes_256_cbc); ssl_cipher_methods[SSL_ENC_CAMELLIA128_IDX]= EVP_get_cipherbyname(SN_camellia_128_cbc); ssl_cipher_methods[SSL_ENC_CAMELLIA256_IDX]= #ifndef TEST_MASK256 EVP_get_cipherbyname(SN_camellia_256_cbc); #else 0; #fi Compiling with -DTEST_MASK256 yields the expected results, with all cipherlists the normally include AES always missing the AES-128 ciphers only, and all cipherlists that normally include CAMELLIA always missing the CAMELLIA-256 ciphers only. *** openssl-SNAP-20070125/ssl/ssl_ciph.cWed Jan 3 15:01:16 2007 --- openssl-SNAP-20070125-new/ssl/ssl_ciph.cWed Jan 31 01:05:06 2007 *** *** 478,486 *tail=curr; } ! static unsigned long ssl_cipher_get_disabled(void) { unsigned long mask = 0; #ifdef OPENSSL_NO_RSA mask |= SSL_aRSA|SSL_kRSA; --- 478,488 *tail=curr; } ! static unsigned long ssl_cipher_get_disabled(long *m256Ptr) { unsigned long mask = 0; + unsigned long m256; + #ifdef OPENSSL_NO_RSA mask |= SSL_aRSA|SSL_kRSA; *** *** 512,529 mask |= (ssl_cipher_methods[SSL_ENC_RC4_IDX ] == NULL) ? SSL_RC4 :0; mask |= (ssl_cipher_methods[SSL_ENC_RC2_IDX ] == NULL) ? SSL_RC2 :0; mask |= (ssl_cipher_methods[SSL_ENC_IDEA_IDX] == NULL) ? SSL_IDEA:0; - mask |= (ssl_cipher_methods[SSL_ENC_AES128_IDX] == NULL) ? SSL_AES:0; - mask |= (ssl_cipher_methods[SSL_ENC_CAMELLIA128_IDX] == NULL) ? SSL_CAMELLIA:0; mask |= (ssl_digest_methods[SSL_MD_MD5_IDX ] == NULL) ? SSL_MD5 :0; mask |= (ssl_digest_methods[SSL_MD_SHA1_IDX] == NULL) ? SSL_SHA1:0; return(mask); } static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method, ! int num_of_ciphers, unsigned long mask, CIPHER_ORDER *co_list, ! CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p) { int i, co_list_num; SSL_CIPHER *c; --- 514,541 mask |= (ssl_cipher_methods[SSL_ENC_RC4_IDX ] == NULL) ? SSL_RC4 :0; mask |= (ssl_cipher_methods[SSL_ENC_RC2_IDX ] == NULL) ? SSL_RC2 :0; mask |= (ssl_cipher_methods[SSL_ENC_IDEA_IDX] == NULL) ? SSL_IDEA:0; mask |= (ssl_digest_methods[SSL_MD_MD5_IDX ] == NULL) ? SSL_MD5 :0; mask |= (ssl_digest_methods[SSL_MD_SHA1_IDX] == NULL) ? SSL_SHA1:0; + /* +* So far so good, but for some ciphers mask and m256 differ +*/ + m256 = mask; + + mask |= (ssl_cipher_methods[SSL_ENC_AES128_IDX] == NULL) ? SSL_AES:0; + m256 |= (ssl_cipher_methods[SSL_ENC_AES256_IDX] == NULL) ? SSL_AES:0; + mask |= (ssl_cipher_methods[SSL_ENC_CAMELLIA128_IDX] == NULL) ? SSL_CAMELLIA:0; + m256 |= (ssl_cipher_methods[SSL_ENC_CAMELLIA256_IDX] == NULL) ? SSL_CAMELLIA:0; + + *m256Ptr = m256; return(mask); } static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method, ! int num_of_ciphers, unsigned long mask, unsigned long m256, ! CIPHER_ORDER *co_list, CIPHER_ORDER **head_p, ! CIPHER_ORDER **tail_p) { int i, co_list_num; SSL_CIPHER *c; *** *** 541,547 { c = ssl_method-get_cipher(i); /* drop those that use any of that is not available */ ! if ((c != NULL) c-valid !(c-algorithms mask)) { co_list[co_list_num].cipher = c; co_list[co_list_num].next = NULL; --- 553,560 { c = ssl_method-get_cipher(i); /* drop those that use any of that is not available */ !