[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Selecting TLS Cipher problem

To: Pat Riehecky <prieheck@iwu.edu>
Subject: Re: Selecting TLS Cipher problem
From: Philip Guenther <guenther+ldapsoft@sendmail.com>
Date: Mon, 24 Mar 2008 12:44:05 -0600
Cc: openldap-software@openldap.org
In-reply-to: <1206382616.7251.15.camel@localhost>
References: <1206382616.7251.15.camel@localhost>
User-agent: Alpine 1.00 (BSO 882 2007-12-20)

On Mon, 24 Mar 2008, Pat Riehecky wrote:

I am trying to limit the cipher list for TLS negotiations, but I don't
seem to be able to do this.....

...

TLS: could not set cipher list !ALL:HIGH:+SSLv3:+TLSv1:MEDIUM:+SSLv2:!
aNULL:!NULL:+SHA:+MD5.
main: TLS init def ctx failed: -1

You can test your cipher list expression by passing it to the "openssl ciphers" command:

$ openssl ciphers -v !ALL:HIGH:+SSLv3:+TLSv1:MEDIUM:+SSLv2:!aNULL:!NULL:+SHA:+MD5
Error in cipher list
16507:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:/usr/src/lib/libssl/src/ssl/ssl_lib.c:1144:
$

So your cipher list disables all the ciphers. The error is in the first term: If `!' is used, then the ciphers are permanently deleted from the list. The ciphers deleted can never reappear in the list even if they are ex- plicitly stated.

So, your "!ALL" completely removes the "ALL" ciphers from the list and nothing can reinsert them after that.

Offhand, it's not clear what you're trying to accomplish with that cipher list expression, so it's not clear what the right 'fix' is.


Philip Guenther

Follow-Ups:
- Re: Selecting TLS Cipher problem
  - From: Pat Riehecky <prieheck@iwu.edu>
- Re: Selecting TLS Cipher problem
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

References:
- Selecting TLS Cipher problem
  - From: Pat Riehecky <prieheck@iwu.edu>

Prev by Date: Selecting TLS Cipher problem
Next by Date: Re: Selecting TLS Cipher problem
Index(es):
- Chronological
- Thread