Re: [openssl-users] Fwd: Does TLSv1.2 support 3DES

2017-08-09 Thread Salz, Rich via openssl-users 
> May be my email subject is a little confusing. I'll put my question directly.
> 
> If I configure my server with the string "HIGH+TLSv1.2:!MD5:!SHA1", will it
> support 3DES?

No, as I showed.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Fwd: Does TLSv1.2 support 3DES

2017-08-09 Thread haris iqbal 
May be my email subject is a little confusing. I'll put my question directly.

If I configure my server with the string "HIGH+TLSv1.2:!MD5:!SHA1",
will it support 3DES?

On Wed, Aug 9, 2017 at 11:45 PM, Viktor Dukhovni
 wrote:
> On Wed, Aug 09, 2017 at 04:07:30PM +, Salz, Rich via openssl-users wrote:
>
>> > From [this][1] link I can see that TLS1.2 does not have 3DES in their 
>> > available
>> > cipher list. So I guess it does not support?
>>
>> Right:
>>
>> ; ./apps/openssl ciphers -v HIGH+TLSv1.2:!MD5:!SHA1 | grep DES
>> ; ./apps/openssl ciphers -v TLSv1.2:!MD5:!SHA1 | grep DES
>> ; ./apps/openssl ciphers -v TLSv1.2 | grep DES
>
> This is wrong.  The "TLSv1.2" ciphers are just the ciphers that
> are *new* in TLS 1.2.  A number of TLS 1.2 ciphers date back to
> SSLv3.  The right way to see TLS 1.2 3DES ciphers is:
>
> $ openssl ciphers -s tls1_2 -V 3DES
>   0xC0,0x12 - ECDHE-RSA-DES-CBC3-SHA  SSLv3 Kx=ECDH Au=RSA  
> Enc=3DES(168) Mac=SHA1
>   0xC0,0x08 - ECDHE-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=ECDSA 
> Enc=3DES(168) Mac=SHA1
>   0xC0,0x1C - SRP-DSS-3DES-EDE-CBC-SHA SSLv3 Kx=SRP  Au=DSS  
> Enc=3DES(168) Mac=SHA1
>   0xC0,0x1B - SRP-RSA-3DES-EDE-CBC-SHA SSLv3 Kx=SRP  Au=RSA  
> Enc=3DES(168) Mac=SHA1
>   0xC0,0x1A - SRP-3DES-EDE-CBC-SHASSLv3 Kx=SRP  Au=SRP  
> Enc=3DES(168) Mac=SHA1
>   0x00,0x16 - EDH-RSA-DES-CBC3-SHASSLv3 Kx=DH   Au=RSA  
> Enc=3DES(168) Mac=SHA1
>   0x00,0x13 - EDH-DSS-DES-CBC3-SHASSLv3 Kx=DH   Au=DSS  
> Enc=3DES(168) Mac=SHA1
>   0x00,0x10 - DH-RSA-DES-CBC3-SHA SSLv3 Kx=DH/RSA   Au=DH   
> Enc=3DES(168) Mac=SHA1
>   0x00,0x0D - DH-DSS-DES-CBC3-SHA SSLv3 Kx=DH/DSS   Au=DH   
> Enc=3DES(168) Mac=SHA1
>   0xC0,0x17 - AECDH-DES-CBC3-SHA  SSLv3 Kx=ECDH Au=None 
> Enc=3DES(168) Mac=SHA1
>   0x00,0x1B - ADH-DES-CBC3-SHASSLv3 Kx=DH   Au=None 
> Enc=3DES(168) Mac=SHA1
>   0xC0,0x0D - ECDH-RSA-DES-CBC3-SHA   SSLv3 Kx=ECDH/RSA Au=ECDH 
> Enc=3DES(168) Mac=SHA1
>   0xC0,0x03 - ECDH-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH 
> Enc=3DES(168) Mac=SHA1
>   0x00,0x0A - DES-CBC3-SHASSLv3 Kx=RSA  Au=RSA  
> Enc=3DES(168) Mac=SHA1
>   0x00,0x8B - PSK-3DES-EDE-CBC-SHASSLv3 Kx=PSK  Au=PSK  
> Enc=3DES(168) Mac=SHA1
>
> See Appendix A.5 of RFC5246 for some of the above 3DES codepoints.
> See also the IANA TLS ciphersuite registry.
>
> --
> Viktor.
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



-- 

With regards,

Md Haris Iqbal,
Contact: +91 8861996962
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Fwd: Does TLSv1.2 support 3DES

2017-08-09 Thread Viktor Dukhovni 
On Wed, Aug 09, 2017 at 04:07:30PM +, Salz, Rich via openssl-users wrote:

> > From [this][1] link I can see that TLS1.2 does not have 3DES in their 
> > available
> > cipher list. So I guess it does not support?
> 
> Right:
> 
> ; ./apps/openssl ciphers -v HIGH+TLSv1.2:!MD5:!SHA1 | grep DES
> ; ./apps/openssl ciphers -v TLSv1.2:!MD5:!SHA1 | grep DES
> ; ./apps/openssl ciphers -v TLSv1.2 | grep DES

This is wrong.  The "TLSv1.2" ciphers are just the ciphers that
are *new* in TLS 1.2.  A number of TLS 1.2 ciphers date back to
SSLv3.  The right way to see TLS 1.2 3DES ciphers is:

$ openssl ciphers -s tls1_2 -V 3DES
  0xC0,0x12 - ECDHE-RSA-DES-CBC3-SHA  SSLv3 Kx=ECDH Au=RSA  
Enc=3DES(168) Mac=SHA1
  0xC0,0x08 - ECDHE-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=ECDSA 
Enc=3DES(168) Mac=SHA1
  0xC0,0x1C - SRP-DSS-3DES-EDE-CBC-SHA SSLv3 Kx=SRP  Au=DSS  
Enc=3DES(168) Mac=SHA1
  0xC0,0x1B - SRP-RSA-3DES-EDE-CBC-SHA SSLv3 Kx=SRP  Au=RSA  
Enc=3DES(168) Mac=SHA1
  0xC0,0x1A - SRP-3DES-EDE-CBC-SHASSLv3 Kx=SRP  Au=SRP  
Enc=3DES(168) Mac=SHA1
  0x00,0x16 - EDH-RSA-DES-CBC3-SHASSLv3 Kx=DH   Au=RSA  
Enc=3DES(168) Mac=SHA1
  0x00,0x13 - EDH-DSS-DES-CBC3-SHASSLv3 Kx=DH   Au=DSS  
Enc=3DES(168) Mac=SHA1
  0x00,0x10 - DH-RSA-DES-CBC3-SHA SSLv3 Kx=DH/RSA   Au=DH   
Enc=3DES(168) Mac=SHA1
  0x00,0x0D - DH-DSS-DES-CBC3-SHA SSLv3 Kx=DH/DSS   Au=DH   
Enc=3DES(168) Mac=SHA1
  0xC0,0x17 - AECDH-DES-CBC3-SHA  SSLv3 Kx=ECDH Au=None 
Enc=3DES(168) Mac=SHA1
  0x00,0x1B - ADH-DES-CBC3-SHASSLv3 Kx=DH   Au=None 
Enc=3DES(168) Mac=SHA1
  0xC0,0x0D - ECDH-RSA-DES-CBC3-SHA   SSLv3 Kx=ECDH/RSA Au=ECDH 
Enc=3DES(168) Mac=SHA1
  0xC0,0x03 - ECDH-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH 
Enc=3DES(168) Mac=SHA1
  0x00,0x0A - DES-CBC3-SHASSLv3 Kx=RSA  Au=RSA  
Enc=3DES(168) Mac=SHA1
  0x00,0x8B - PSK-3DES-EDE-CBC-SHASSLv3 Kx=PSK  Au=PSK  
Enc=3DES(168) Mac=SHA1

See Appendix A.5 of RFC5246 for some of the above 3DES codepoints.
See also the IANA TLS ciphersuite registry.

-- 
Viktor.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Fwd: Does TLSv1.2 support 3DES

2017-08-09 Thread Salz, Rich via openssl-users 
> From [this][1] link I can see that TLS1.2 does not have 3DES in their 
> available
> cipher list. So I guess it does not support?

Right:

; ./apps/openssl ciphers -v HIGH+TLSv1.2:!MD5:!SHA1 | grep DES
; ./apps/openssl ciphers -v TLSv1.2:!MD5:!SHA1 | grep DES
; ./apps/openssl ciphers -v TLSv1.2 | grep DES
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Fwd: Does TLSv1.2 support 3DES

2017-08-09 Thread haris iqbal 
Hi,

I wanted to know if I configure my openssl server to explicitly use
TLSv1.2, the do I have to also mention not to use 3DES (by adding
"!3DES" to the string), or the expicit use of TLSv1.2 remove the
support of 3DES.

>From [this][1] link I can see that TLS1.2 does not have 3DES in their
available cipher list. So I guess it does not support?

The string I am using is "HIGH+TLSv1.2:!MD5:!SHA1"


  [1]: https://www.openssl.org/docs/man1.0.2/apps/ciphers.html


--

With regards,

Md Haris Iqbal,
Contact: +91 8861996962
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users