Re: [openssl-users] The default cipher of executable 'openssl'
From: openssl-users On Behalf Of Viktor Dukhovni Sent: Friday, June 12, 2015 02:47 1) 1.0.1l ./apps/openssl s_server -ssl3 -cert certdb/ssl_server.pem -WWW -CAfile certdb/cafile.pem Using default temp DH parameters Using default temp ECDH parameters ACCEPT With SSL 3.0, no extension support, thus no supported curves extension, thus ideally no EDCHE support. If ECDHE happened anyway with earlier releases, that was a bug that is perhaps now fixed. That is it. I'm not sure a bug, but I'd agree not ideal. 4492 says client SHOULD send the curves and pointformats extensions, but if it doesn't the server is free to choose any one of [4492 named curves] (no BCP14 verb). OpenSSL's old behavior of using a particular curve is permitted. I'm not sure it was an intentional change. =1.0.1 had all the logic in ssl3_choose_cipher, with (large clumsy) code blocks of the form if ECC suite is in intersection of client and server lists and we have ECC keycert, but client specified curves and our curve isn't among them, don't use ECC suite, and similarly for pointformats. If client didn't send the extensions the don't use branch wasn't taken. 1.0.2 has new APIs for both client and server apps to restrict curves, and ssl3_choose_cipher is rearranged into several new routines, using I think some new data, with result that if the client doesn't send extensions ECC is NOT selected (and in the OPs case DHE is). 2) 1.0.2 ./apps/openssl s_server -ssl3 -cert certdb/ssl_server.pem -WWW -CAfile certdb/cafile.pem Using default temp DH parameters ACCEPT Note that, in 1.0.2, openssl doesn't print out 'Using default temp ECDH parameters'. That's a red herring. That code was also refactored; s_server still defaults to P256, it just doesn't say so. If I run 1.0.2* s_server -ssl3 then s_client allowing at least 1.0, it sends clienthello containing ECC suites in cipherlist (by default), with applicable extensions including two for ECC; receiving this, server negotiates version=3.0, but DOES select ECDHE-RSA (given RSA certkey) and client agrees. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] The default cipher of executable 'openssl'
Does your test case result in ECDHE being used when you change only the protocol on both ends from ssl3 to tls1? Yes, I tested and verified this. Thanks again, Aaron -- View this message in context: http://openssl.6102.n7.nabble.com/The-behavior-change-of-command-line-utility-openssl-tp58557p58697.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] The default cipher of executable 'openssl'
Hi Dave, Thanks for your comments. I am not really familiar with OpenSSL, so some parts of my descriptions may not be not very clear. Right, I am talking about s_server subcommand. You mentioned that there is no change in this area. However I can easily show something is change using s_server subcommand. I am using original OpenSSL code to build my 'openssl', to this change is not from me. 1) 1.0.1l ./apps/openssl s_server -ssl3 -cert certdb/ssl_server.pem -WWW -CAfile certdb/cafile.pem Using default temp DH parameters Using default temp ECDH parameters ACCEPT 2) 1.0.2 ./apps/openssl s_server -ssl3 -cert certdb/ssl_server.pem -WWW -CAfile certdb/cafile.pem Using default temp DH parameters ACCEPT Note that, in 1.0.2, openssl doesn't print out 'Using default temp ECDH parameters'. I checked related code in s_server.c and ssl_conf.c, There are some updates. Some related code is moved from s_server.c to ssl_conf.c. However I haven't found the root cause of this change. I encountered a similar issue when upgrading from OpenSSL 1.0.1l to 1.0.1m. I paste my analysis and fix below. After I applied my fix, the issue disappeared. 1) Analysis File s_server.c was updated in OpenSSL 1.0.1m. Variable 'no_ecdhe' was uninitialized after the update. This causes the condition of the if statement (if (!no_ecdheon) {...}) on line 1682 not to be true. Then ECDHE-RSA-AES256-SHA is not the default temp ECDH parameters of 'openssl s_server' any more. 2) Fix 273 diff -wruN openssl-1.0.1m.original/apps/s_server.c openssl-1.0.1m.working/apps/s_server.c 274 --- openssl-1.0.1m.original/apps/s_server.c 2015-03-19 06:37:10.0 -0700 275 +++ openssl-1.0.1m.working/apps/s_server.c 2015-05-25 01:46:35.0 -0700 276 @@ -998,7 +998,7 @@ 277int off = 0; 278int no_tmp_rsa = 0, no_dhe = 0, nocert = 0; 279#ifndef OPENSSL_NO_ECDH 280 -int no_ecdhe; 281 +int no_ecdhe = 0; 282#endif 283int state = 0; 284const SSL_METHOD *meth = NULL; I noticed that the issue in 1.0.2 is not the same as the issue in 1.0.1m. The issue started to appear in 1.0.2 rather than 1.0.2a. Thanks, Aaron -- View this message in context: http://openssl.6102.n7.nabble.com/The-behavior-change-of-command-line-utility-openssl-tp58557p58631.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] The default cipher of executable 'openssl'
Thanks so much, Viktor. Hence, this is an expected behavior change. In this case I will update my application. Aaron. -- View this message in context: http://openssl.6102.n7.nabble.com/The-behavior-change-of-command-line-utility-openssl-tp58557p58637.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] The default cipher of executable 'openssl'
On Thu, Jun 11, 2015 at 11:19:17PM -0700, Aaron wrote: Right, I am talking about s_server subcommand. You mentioned that there is no change in this area. However I can easily show something is change using s_server subcommand. I am using original OpenSSL code to build my 'openssl', to this change is not from me. 1) 1.0.1l ./apps/openssl s_server -ssl3 -cert certdb/ssl_server.pem -WWW -CAfile certdb/cafile.pem Using default temp DH parameters Using default temp ECDH parameters ACCEPT With SSL 3.0, no extension support, thus no supported curves extension, thus ideally no EDCHE support. If ECDHE happened anyway with earlier releases, that was a bug that is perhaps now fixed. 2) 1.0.2 ./apps/openssl s_server -ssl3 -cert certdb/ssl_server.pem -WWW -CAfile certdb/cafile.pem Using default temp DH parameters ACCEPT Note that, in 1.0.2, openssl doesn't print out 'Using default temp ECDH parameters'. To get ECDHE support, use TLSv1.0 or later. -- Viktor. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] The default cipher of executable 'openssl'
On Fri, Jun 12, 2015 at 01:35:22AM -0700, Aaron wrote: Thanks so much, Viktor. Hence, this is an expected behavior change. In this case I will update my application. Does your test case result in ECDHE being used when you change only the protocol on both ends from ssl3 to tls1? If so, I think this that confirms my hunch. I've not hunted down the specific changes that might have tightened down use of ECDHE in the absense of the relevant extensions (nor even whether the change is in the server or client). So this analysis is disturbingly plausible (an amusing phrase borrowed from another context, too long to explain...). -- Viktor. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] The default cipher of executable 'openssl'
From: openssl-users On Behalf Of Aaron Sent: Wednesday, June 10, 2015 03:47 We are using executable 'apps/openssl' in our test cases. We upgraded from OpenSSL 1.0.1l to OpenSSL 1.0.2a recently. Since then one of our test cases started to fail. After checking, I noticed that the default cipher of 'openssl' was changed from ECDHE-RSA-AES256-SHA to DHE-RSA-AES256-SHA 'openssl' doesn't have a default cipher; it implements over 40 subcommands which use different kinds of ciphers with different defaults or none. You appear to be talking about the 's_client' or 's_server' subcommand, which use the library's SSL/TLS default cipherLIST, which contains about 100 ciphersuites in preference order. The only differences in this list between 1.0.1l and 1.0.2a are that 1.0.2a (also 1.0.1m and 1.0.0r) removes the long-obsolete EXPORT suites (finally, perhaps due to the FREAK and Logjam attacks exploiting them) and adds newly-implemented static-DH suites, which are ignored unless your server has a certificate for a DH key, which in practice nobody does, so they don't affect you (other than further bloating the ClientHello message). Both 1.0.1 and 1.0.2 have ECDHE-RSA-AES256-SHA ordered before DHE-RSA-AES256-SHA, so s_client talking to a server that honors client preference should still get the same result, and s_server listening to a client that has the same preference should still get the same result. Whatever changed in your test this wasn't it. OpenSSL 1.0.2. The related description in OpenSSL 1.0.2 change log is as follows. snip My question is how to enable automatic EC temporary key parameter selection? Commandline doesn't use that feature (yet?), only updated app code using the library. Both 1.0.1 and 1.0.2 default to a fixed curve, P256, and allow you to specify any (fixed) named curve, see -named_curve. Is it possible to change the default cipher back to ECDHE-RSA-AES256-SHA? There's no change to be changed back. All the above assumes that when you identify versions of OpenSSL you mean executables compiled from those version source releases without modification. If either or both of your executables was built with any source changes or any configuration options that alter the release behavior, all bets are off; you'll have to look at your specific builds. E.g. RedHat builds used to nobble all ECC (but that was fixed by 1.0.2a). If you ARE using release versions, try getting traces (either externally with something like wireshark or tcpdump, or internally with -msg and/or -debug in either s_client or s_server) to see if anything is materially different on the wire (and what). ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] The default cipher of executable 'openssl'
Hello, We are using executable 'apps/openssl' in our test cases. We upgraded from OpenSSL 1.0.1l to OpenSSL 1.0.2a recently. Since then one of our test cases started to fail. After checking, I noticed that the default cipher of 'openssl' was changed from ECDHE-RSA-AES256-SHA to DHE-RSA-AES256-SHA in OpenSSL 1.0.2. The related description in OpenSSL 1.0.2 change log is as follows. 474 *) Support for automatic EC temporary key parameter selection. If enabled 475 the most preferred EC parameters are automatically used instead of 476 hardcoded fixed parameters. Now a server just has to call: 477 SSL_CTX_set_ecdh_auto(ctx, 1) and the server will automatically 478 support ECDH and use the most appropriate parameters. 479 [Steve Henson] My question is how to enable automatic EC temporary key parameter selection? Is it possible to change the default cipher back to ECDHE-RSA-AES256-SHA? Thanks, Aaron -- View this message in context: http://openssl.6102.n7.nabble.com/The-default-cipher-of-executable-openssl-tp58557.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users