[openssl-users] How to limit advertised maximum ssl version in ssl23 client helo

2017-11-30 Thread Joseph Southwell
So I have a server I connect to that replies “insufficient security” when I connect with an ssl23 client helo from openssl 1.0.2. However when I connect with any of ssl3-tls1.1 client helo it works. It doesn’t work if I try to connect with a tls1.2 client helo. I am trying to narrow down the

Re: [openssl-users] Compatibility of OpenSSL (Debian)

2017-09-15 Thread Joseph Southwell
See: https://www.openssl.org/blog/blog/2016/08/24/sweet32 > On Sep 15, 2017, at 11:52 AM, Dave Serls wrote: > > > A file DES3 encrypted here by OpenSSL 1.0.1t 3 May 2016 (Debian 7 or earlier > version) is not accessible > by OpenSSL 1.1.0f 25 May 2017 (Debian 9). Is

Re: [openssl-users] Help with ssl error

2017-04-19 Thread Joseph Southwell
> >># tcpdump -s0 -w /some/file tcp port 16370 >> >> and post the the decode from: >> >>$ tshark -r /tmp/p2 -d tcp.port==16370,ssl -V | >>sed -ne '/^Secure Sockets Layer/,/^$/p' >> >> Or just attach the PCAP file to

Re: [openssl-users] Help with ssl error

2017-04-19 Thread Joseph Southwell
Is there a way to enable one or both of those ciphers in OpenSSL? > On Apr 18, 2017, at 1:28 PM, Jason Schultz wrote: > > RSA_With_AES_128_CBC_SHA and RSA_With_3DES_EDE_CBC_SHA -- openssl-users mailing list To unsubscribe:

Re: [openssl-users] Help with ssl error

2017-04-18 Thread Joseph Southwell
Verify return code: 0 (ok) Extended master secret: no --- > On Apr 14, 2017, at 2:49 PM, Viktor Dukhovni <openssl-us...@dukhovni.org> > wrote: > > >> On Apr 14, 2017, at 9:48 AM, Joseph Southwell <jsouthw...@serengeti.com> >> wrote: >> >>

[openssl-users] Help with ssl error

2017-04-14 Thread Joseph Southwell
Version 1.1 openssl openssl.exe s_client -connect hostname:16370 -starttls ftp CONNECTED(0104) 877788:error:1409442F:SSL routines:ssl3_read_bytes:tlsv1 alert insufficient security:ssl\record\rec_layer_s3.c:1385:SSL alert number 71 The host I am connecting to apparently only supports the

Re: [openssl-users] Generating dh parameters multithreaded?

2017-03-15 Thread Joseph Southwell
Are you suggesting that I should modify openssl myself to expose that functionality or are suggesting that there is a way to do that given the already exposed functionality? If it is the latter could you point me in the right direction? > On Mar 15, 2017, at 2:21 PM, Salz, Rich via

[openssl-users] Generating dh parameters multithreaded?

2017-03-15 Thread Joseph Southwell
On any new install of our software we generate new dh parameters as follows… DH *dh = DH_new(); !DH_generate_parameters_ex(dh, 2048, 2, NULL); int codes = 0; DH_check(dh, ); DH_generate_key(dh); It takes a long time. Is there some way to have it use all available cores instead of just the

[openssl-users] Help with "tlsv1 alert insufficient security"

2017-02-24 Thread Joseph Southwell
We upgraded from 0.9.8 to 1.0.2 and now we are seeing that message when we try connecting to a server that previously worked. What does it mean and how can I figure out how to work around it? I can’t get the server to change anything and I need to be able to continue connecting to it. openssl