[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Selecting TLS Cipher problem
Thanks for the reply,
I am trying to disable all the ciphers and then only enable the ciphers
captured by the HIGH, SSLv3, TLSv1, MEDIUM, and SSLv2 list (these are
maintained by the openssl guys i think...
http://www.openssl.org/docs/apps/ciphers.html ). Explicitly turning off
the NULL ciphers. Whenever possible I want to try and use SHA digests
instead of MD5 since MD5 is no longer the approved digest, but those are
preferred above non-digested ciphers (which are not present in SSLv2 and
later, but...).
After poking about the net a bit more (thanks to the Ah Ha of the ! that
you listed below) I have revised this to HIGH:+SSLv3:+TLSv1:MEDIUM:
+SSLv2:!aNULL:!NULL:@STRENGTH:+SHA:+MD5
Which yields # openssl ciphers -v 'HIGH:+SSLv3:+TLSv1:MEDIUM:+SSLv2:!
aNULL:!NULL:@STRENGTH:+SHA:+MD5'
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5
RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5
RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
This tells me that now I am actually selecting a valid cipher list, but
the start-up problem remains.
TLS: could not set cipher list HIGH:+SSLv3:+TLSv1:MEDIUM:+SSLv2:!aNULL:!
NULL:@STRENGTH:+SHA:+MD5.
main: TLS init def ctx failed: -1
slapd destroy: freeing system resources.
slapd stopped.
OpenLDAP 2.4.7-5 on Debian x86 installed from apt
Pat
On Mon, 2008-03-24 at 12:44 -0600, Philip Guenther wrote:
> On Mon, 24 Mar 2008, Pat Riehecky wrote:
> > I am trying to limit the cipher list for TLS negotiations, but I don't
> > seem to be able to do this.....
> ...
> > TLS: could not set cipher list !ALL:HIGH:+SSLv3:+TLSv1:MEDIUM:+SSLv2:!
> > aNULL:!NULL:+SHA:+MD5.
> > main: TLS init def ctx failed: -1
>
> You can test your cipher list expression by passing it to the "openssl
> ciphers" command:
>
> $ openssl ciphers -v !ALL:HIGH:+SSLv3:+TLSv1:MEDIUM:+SSLv2:!aNULL:!NULL:+SHA:+MD5
> Error in cipher list
> 16507:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:/usr/src/lib/libssl/src/ssl/ssl_lib.c:1144:
> $
>
> So your cipher list disables all the ciphers. The error is in the first
> term:
> If `!' is used, then the ciphers are permanently deleted from the list.
> The ciphers deleted can never reappear in the list even if they are ex-
> plicitly stated.
>
> So, your "!ALL" completely removes the "ALL" ciphers from the list and
> nothing can reinsert them after that.
>
>
> Offhand, it's not clear what you're trying to accomplish with that cipher
> list expression, so it's not clear what the right 'fix' is.
>
>
> Philip Guenther
>