Re: Is RFC3268 extension supported in openssl?
Hi Dr. Stephen Henson, Thanks for your answer. I know this cipher suite is rarely used however we do need this feature and we do want to test it using openssl. Do you happen to know how to get a DH certificate or how to generate a DH certificate using openssl or other tools. -Zyan From: Dr. Stephen Henson st...@openssl.org To: openssl-users@openssl.org, Date: 08/15/2013 07:26 PM Subject:Re: Is RFC3268 extension supported in openssl? Sent by:owner-openssl-us...@openssl.org On Thu, Aug 15, 2013, Zyan Wu wrote: From the documents of http://www.openssl.org/docs/apps/ciphers.html and CHANGES with the source code, RFC3268 is stated to be supported. But I cannot get the following ciphers by using openssl ciphers. (I have used openssl1.0.1e and openssl0.9.8y) TLS_DH_DSS_WITH_AES_128_CBC_SHA DH-DSS-AES128-SHA TLS_DH_DSS_WITH_AES_256_CBC_SHA DH-DSS-AES256-SHA TLS_DH_RSA_WITH_AES_128_CBC_SHA DH-RSA-AES128-SHA TLS_DH_RSA_WITH_AES_256_CBC_SHA DH-RSA-AES256-SHA Are they really supported or do I have to enable them when building openssl? Those web pages refer to the current development branch of OpenSSL so some features (including these ciphersuites) may not be in all versions of OpenSSL. Those pareticular ciphersuites require the use of a DH certificate and are only supported in unreleased OpenSSL 1.0.2 and the master branch. Very few implementations support them, the ephemeral DH (EDH) ciphersuites are much more common. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Is RFC3268 extension supported in openssl?
On Wed, Aug 21, 2013, Zyan Wu wrote: Hi Dr. Stephen Henson, Thanks for your answer. I know this cipher suite is rarely used however we do need this feature and we do want to test it using openssl. Well as I said it is only supported by OpenSSL 1.0.2 and later, not in any currrent release. Do you happen to know how to get a DH certificate or how to generate a DH certificate using openssl or other tools. In the master branch check out the demo script in demos/certs/mkcerts.sh there is a line saying: # Example creating a PKCS#3 DH certificate. Depending on the TLS version you might need two DH certificates, one signed by an RSA key and one a DSA key. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Is RFC3268 extension supported in openssl?
On Thu, Aug 15, 2013, Zyan Wu wrote: From the documents of http://www.openssl.org/docs/apps/ciphers.html and CHANGES with the source code, RFC3268 is stated to be supported. But I cannot get the following ciphers by using openssl ciphers. (I have used openssl1.0.1e and openssl0.9.8y) TLS_DH_DSS_WITH_AES_128_CBC_SHA DH-DSS-AES128-SHA TLS_DH_DSS_WITH_AES_256_CBC_SHA DH-DSS-AES256-SHA TLS_DH_RSA_WITH_AES_128_CBC_SHA DH-RSA-AES128-SHA TLS_DH_RSA_WITH_AES_256_CBC_SHA DH-RSA-AES256-SHA Are they really supported or do I have to enable them when building openssl? Those web pages refer to the current development branch of OpenSSL so some features (including these ciphersuites) may not be in all versions of OpenSSL. Those pareticular ciphersuites require the use of a DH certificate and are only supported in unreleased OpenSSL 1.0.2 and the master branch. Very few implementations support them, the ephemeral DH (EDH) ciphersuites are much more common. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Is RFC3268 extension supported in openssl?
From the documents of http://www.openssl.org/docs/apps/ciphers.html and CHANGES with the source code, RFC3268 is stated to be supported. But I cannot get the following ciphers by using openssl ciphers. (I have used openssl1.0.1e and openssl0.9.8y) TLS_DH_DSS_WITH_AES_128_CBC_SHA DH-DSS-AES128-SHA TLS_DH_DSS_WITH_AES_256_CBC_SHA DH-DSS-AES256-SHA TLS_DH_RSA_WITH_AES_128_CBC_SHA DH-RSA-AES128-SHA TLS_DH_RSA_WITH_AES_256_CBC_SHA DH-RSA-AES256-SHA Are they really supported or do I have to enable them when building openssl? -Zyan