[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Selecting TLS Cipher problem



Thanks for the reply,

I am trying to disable all the ciphers and then only enable the ciphers
captured by the HIGH, SSLv3, TLSv1, MEDIUM, and SSLv2 list (these are
maintained by the openssl guys i think...
http://www.openssl.org/docs/apps/ciphers.html ).  Explicitly turning off
the NULL ciphers.  Whenever possible I want to try and use SHA digests
instead of MD5 since MD5 is no longer the approved digest, but those are
preferred above non-digested ciphers (which are not present in SSLv2 and
later, but...).

After poking about the net a bit more (thanks to the Ah Ha of the ! that
you listed below) I have revised this to HIGH:+SSLv3:+TLSv1:MEDIUM:
+SSLv2:!aNULL:!NULL:@STRENGTH:+SHA:+MD5

Which yields # openssl ciphers -v 'HIGH:+SSLv3:+TLSv1:MEDIUM:+SSLv2:!
aNULL:!NULL:@STRENGTH:+SHA:+MD5'
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA    SSLv3 Kx=DH       Au=DSS  Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
DES-CBC3-MD5            SSLv2 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=MD5 
RC4-MD5                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5 
RC2-CBC-MD5             SSLv2 Kx=RSA      Au=RSA  Enc=RC2(128)  Mac=MD5 
RC4-MD5                 SSLv2 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5 

This tells me that now I am actually selecting a valid cipher list, but
the start-up problem remains.

TLS: could not set cipher list HIGH:+SSLv3:+TLSv1:MEDIUM:+SSLv2:!aNULL:!
NULL:@STRENGTH:+SHA:+MD5.
main: TLS init def ctx failed: -1
slapd destroy: freeing system resources.
slapd stopped.


OpenLDAP 2.4.7-5 on Debian x86 installed from apt
Pat

On Mon, 2008-03-24 at 12:44 -0600, Philip Guenther wrote:
> On Mon, 24 Mar 2008, Pat Riehecky wrote:
> > I am trying to limit the cipher list for TLS negotiations, but I don't
> > seem to be able to do this.....
> ...
> > TLS: could not set cipher list !ALL:HIGH:+SSLv3:+TLSv1:MEDIUM:+SSLv2:!
> > aNULL:!NULL:+SHA:+MD5.
> > main: TLS init def ctx failed: -1
> 
> You can test your cipher list expression by passing it to the "openssl 
> ciphers" command:
> 
> $ openssl ciphers -v !ALL:HIGH:+SSLv3:+TLSv1:MEDIUM:+SSLv2:!aNULL:!NULL:+SHA:+MD5
> Error in cipher list
> 16507:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:/usr/src/lib/libssl/src/ssl/ssl_lib.c:1144:
> $
> 
> So your cipher list disables all the ciphers.  The error is in the first 
> term:
>       If `!' is used, then the ciphers are permanently deleted from the list.
>       The ciphers deleted can never reappear in the list even if they are ex-
>       plicitly stated.
> 
> So, your "!ALL" completely removes the "ALL" ciphers from the list and 
> nothing can reinsert them after that.
> 
> 
> Offhand, it's not clear what you're trying to accomplish with that cipher 
> list expression, so it's not clear what the right 'fix' is.
> 
> 
> Philip Guenther
>