Re: [openssl-users] The default cipher of executable 'openssl'

[Dave Thompson]

 From: openssl-users On Behalf Of Viktor Dukhovni
 Sent: Friday, June 12, 2015 02:47

  1) 1.0.1l
  ./apps/openssl s_server -ssl3 -cert certdb/ssl_server.pem -WWW -CAfile
  certdb/cafile.pem
  Using default temp DH parameters
  Using default temp ECDH parameters
  ACCEPT
 
 With SSL 3.0, no extension support, thus no supported curves
 extension, thus ideally no EDCHE support.  If ECDHE happened anyway
 with earlier releases, that was a bug that is perhaps now fixed.
 
That is it.

I'm not sure a bug, but I'd agree not  ideal. 4492 says client SHOULD 
send the curves and pointformats extensions, but if it doesn't the server 
is free to choose any one of [4492 named curves] (no BCP14 verb).
OpenSSL's old behavior of using a particular curve is permitted.

I'm not sure it was an intentional change. =1.0.1 had all the logic 
in ssl3_choose_cipher, with (large clumsy) code blocks of the form 
if ECC suite is in intersection of client and server lists and we have 
ECC keycert, but client specified curves and our curve isn't among 
them, don't use ECC suite, and similarly for pointformats. If client 
didn't send the extensions the don't use branch wasn't taken.
1.0.2 has new APIs for both client and server apps to restrict curves,
and ssl3_choose_cipher is rearranged into several new routines, 
using I think some new data, with result that if the client doesn't 
send extensions ECC is NOT selected (and in the OPs case DHE is).

  2) 1.0.2
  ./apps/openssl s_server -ssl3 -cert certdb/ssl_server.pem -WWW -CAfile
  certdb/cafile.pem
  Using default temp DH parameters
  ACCEPT
 
  Note that, in 1.0.2, openssl doesn't print out 'Using default temp ECDH
  parameters'.
 
That's a red herring. That code was also refactored; s_server still 
defaults to P256, it just doesn't say so. If I run 1.0.2* s_server -ssl3
then s_client allowing at least 1.0, it sends clienthello containing 
ECC suites in cipherlist (by default), with applicable extensions 
including two for ECC; receiving this, server negotiates version=3.0,
but DOES select ECDHE-RSA (given RSA certkey) and client agrees.



___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] The default cipher of executable 'openssl'

[Aaron]

Does your test case result in ECDHE being used when you change only 
the protocol on both ends from ssl3 to tls1?  
Yes, I tested and verified this.

Thanks again,
Aaron   
  



--
View this message in context: 
http://openssl.6102.n7.nabble.com/The-behavior-change-of-command-line-utility-openssl-tp58557p58697.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] The default cipher of executable 'openssl'

[Aaron]

Hi Dave,

Thanks for your comments.

I am not really familiar with OpenSSL, so some parts of my descriptions may
not be not very clear.

Right, I am talking about s_server subcommand. You mentioned that there is
no change in this area. However I can easily show something is change using
s_server subcommand. I am using original OpenSSL code to build my 'openssl',
to this change is not from me.

1) 1.0.1l 
./apps/openssl s_server -ssl3 -cert certdb/ssl_server.pem -WWW -CAfile
certdb/cafile.pem 
Using default temp DH parameters 
Using default temp ECDH parameters 
ACCEPT 

2) 1.0.2 
./apps/openssl s_server -ssl3 -cert certdb/ssl_server.pem -WWW -CAfile
certdb/cafile.pem 
Using default temp DH parameters 
ACCEPT 

Note that, in 1.0.2, openssl doesn't print out 'Using default temp ECDH
parameters'. 

I checked related code in s_server.c and ssl_conf.c, There are some updates.
Some related code is moved from s_server.c to ssl_conf.c. However I haven't
found the root cause of this change. 

I encountered a similar issue when upgrading from OpenSSL 1.0.1l to 1.0.1m.
I paste my analysis and fix below. After I applied my fix, the issue
disappeared.
1) Analysis
File s_server.c was updated in OpenSSL 1.0.1m. Variable 'no_ecdhe' was
uninitialized after the update. This causes the condition of the if
statement (if (!no_ecdheon) {...}) on line 1682 not to be true. Then
ECDHE-RSA-AES256-SHA is not the default temp ECDH parameters of 'openssl
s_server' any more.

2) Fix
273   diff -wruN openssl-1.0.1m.original/apps/s_server.c
openssl-1.0.1m.working/apps/s_server.c
274   --- openssl-1.0.1m.original/apps/s_server.c 2015-03-19
06:37:10.0 -0700
275   +++ openssl-1.0.1m.working/apps/s_server.c  2015-05-25
01:46:35.0 -0700
276   @@ -998,7 +998,7 @@
277int off = 0;
278int no_tmp_rsa = 0, no_dhe = 0, nocert = 0;
279#ifndef OPENSSL_NO_ECDH
280   -int no_ecdhe;
281   +int no_ecdhe = 0;
282#endif
283int state = 0;
284const SSL_METHOD *meth = NULL;

I noticed that the issue in 1.0.2 is not the same as the issue in 1.0.1m.
The issue started to appear in 1.0.2 rather than 1.0.2a.

Thanks,
Aaron




--
View this message in context: 
http://openssl.6102.n7.nabble.com/The-behavior-change-of-command-line-utility-openssl-tp58557p58631.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] The default cipher of executable 'openssl'

[Aaron]

Thanks so much, Viktor. Hence, this is an expected behavior change. In this
case I will update my application.

Aaron. 



--
View this message in context: 
http://openssl.6102.n7.nabble.com/The-behavior-change-of-command-line-utility-openssl-tp58557p58637.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] The default cipher of executable 'openssl'

[Viktor Dukhovni]

On Thu, Jun 11, 2015 at 11:19:17PM -0700, Aaron wrote:

 Right, I am talking about s_server subcommand. You mentioned that there is
 no change in this area. However I can easily show something is change using
 s_server subcommand. I am using original OpenSSL code to build my 'openssl',
 to this change is not from me.
 
 1) 1.0.1l 
 ./apps/openssl s_server -ssl3 -cert certdb/ssl_server.pem -WWW -CAfile
 certdb/cafile.pem 
 Using default temp DH parameters 
 Using default temp ECDH parameters 
 ACCEPT 

With SSL 3.0, no extension support, thus no supported curves
extension, thus ideally no EDCHE support.  If ECDHE happened anyway
with earlier releases, that was a bug that is perhaps now fixed.

 2) 1.0.2 
 ./apps/openssl s_server -ssl3 -cert certdb/ssl_server.pem -WWW -CAfile
 certdb/cafile.pem 
 Using default temp DH parameters 
 ACCEPT 
 
 Note that, in 1.0.2, openssl doesn't print out 'Using default temp ECDH
 parameters'. 

To get ECDHE support, use TLSv1.0 or later.

-- 
Viktor.
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] The default cipher of executable 'openssl'

[Viktor Dukhovni]

On Fri, Jun 12, 2015 at 01:35:22AM -0700, Aaron wrote:

 Thanks so much, Viktor. Hence, this is an expected behavior change. In this
 case I will update my application.

Does your test case result in ECDHE being used when you change only
the protocol on both ends from ssl3 to tls1?  If so, I think this
that confirms my hunch.  

I've not hunted down the specific changes that might have tightened
down use of ECDHE in the absense of the relevant extensions (nor
even whether the change is in the server or client).  So this
analysis is disturbingly plausible (an amusing phrase borrowed
from another context, too long to explain...).

-- 
Viktor.
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] The default cipher of executable 'openssl'

[Dave Thompson]

 From: openssl-users On Behalf Of Aaron
 Sent: Wednesday, June 10, 2015 03:47

 We are using executable 'apps/openssl' in our test cases. We upgraded from
 OpenSSL 1.0.1l to OpenSSL 1.0.2a recently. Since then one of our test
cases
 started to fail. After checking, I noticed that the default cipher of
 'openssl' was changed from ECDHE-RSA-AES256-SHA to DHE-RSA-AES256-SHA

'openssl' doesn't have a default cipher; it implements over 40 subcommands

which use different kinds of ciphers with different defaults or none. You
appear 
to be talking about the 's_client' or 's_server' subcommand, which use the 
library's SSL/TLS default cipherLIST, which contains about 100 ciphersuites 
in preference order. The only differences in this list between 1.0.1l and
1.0.2a 
are that 1.0.2a (also 1.0.1m and 1.0.0r) removes the long-obsolete EXPORT 
suites (finally, perhaps due to the FREAK and Logjam attacks exploiting
them)
and adds newly-implemented static-DH suites, which are ignored unless your 
server has a certificate for a DH key, which in practice nobody does, so
they 
don't affect you (other than further bloating the ClientHello message).

Both 1.0.1 and 1.0.2 have ECDHE-RSA-AES256-SHA ordered before 
DHE-RSA-AES256-SHA, so s_client talking to a server that honors client 
preference should still get the same result, and s_server listening to a 
client that has the same preference should still get the same result.
Whatever changed in your test this wasn't it.

 OpenSSL 1.0.2. The related description in OpenSSL 1.0.2 change log is as
 follows. snip
 My question is how to enable automatic EC temporary key parameter
 selection?

Commandline doesn't use that feature (yet?), only updated app code 
using the library. Both 1.0.1 and 1.0.2 default to a fixed curve, P256, and 
allow you to specify any (fixed) named curve, see -named_curve.

 Is it possible to change the default cipher back to ECDHE-RSA-AES256-SHA?

There's no change to be changed back.

All the above assumes that when you identify versions of OpenSSL you 
mean executables compiled from those version source releases without 
modification. If either or both of your executables was built with any 
source changes or any configuration options that alter the release 
behavior, all bets are off; you'll have to look at your specific builds.
E.g. RedHat builds used to nobble all ECC (but that was fixed by 1.0.2a).
If you ARE using release versions, try getting traces (either externally 
with something like wireshark or tcpdump, or internally with -msg and/or 
-debug in either s_client or s_server) to see if anything is materially 
different on the wire (and what).



___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] The default cipher of executable 'openssl'

[Aaron]

Hello,

We are using executable 'apps/openssl' in our test cases. We upgraded from
OpenSSL 1.0.1l to OpenSSL 1.0.2a recently. Since then one of our test cases
started to fail. After checking, I noticed that the default cipher of
'openssl' was changed from ECDHE-RSA-AES256-SHA to DHE-RSA-AES256-SHA in
OpenSSL 1.0.2. The related description in OpenSSL 1.0.2 change log is as
follows.

474   *) Support for automatic EC temporary key parameter selection. If
enabled 
475  the most preferred EC parameters are automatically used instead of 
476  hardcoded fixed parameters. Now a server just has to call: 
477  SSL_CTX_set_ecdh_auto(ctx, 1) and the server will automatically 
478  support ECDH and use the most appropriate parameters. 
479  [Steve Henson] 

My question is how to enable automatic EC temporary key parameter selection?
Is it possible to change the default cipher back to ECDHE-RSA-AES256-SHA?

Thanks,
Aaron



--
View this message in context: 
http://openssl.6102.n7.nabble.com/The-default-cipher-of-executable-openssl-tp58557.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users