[openssl-users] CBC ciphers + TLS 1.0 protocol does not work in OpenSSL 1.0.2d

Jayalakshmi bhat bhat.jayalakshmi at gmail.com
Fri Dec 4 18:21:48 UTC 2015


Hi Matt,

I replaced constant_time_eq_8 usage in s3_cbc.c with the implementation
available in OpenSSL 1.0.1e. Things worked fine.

Regards
Jaya

On Fri, Dec 4, 2015 at 7:04 PM, Matt Caswell <matt at openssl.org> wrote:

>
>
> On 04/12/15 11:31, Jayalakshmi bhat wrote:
> > Hi Matt,
> >
> > Thanks a lot for the response.
> >
> > Is your application a client or a server? Are both ends using
> > OpenSSL 1.0.2d? If not, what is the other end using?
> >>>Our device has both TLS client,server apps. As client, device
> communicates with radius server, LDAP server etc.As
> > server device is accessed using various web browsers.
> > Hence both the end will not be OpenSSL 1.0.2d.
> >
> > How exactly are you doing that? Which specific cipher are you seeing
> fail?
> >>> We have provided user option to select TLS protocol versions similar
> to the browsers. Depending upon the user configurations we set the protocol
> flags (SSL_OP_NO_TLSv1,SSL_OP_NO_TLSv1_1, SSL_OP_NO_TLSv1_2) in the SSL
> context using SSL_CTX_clear_options/SSL_CTX_set_options.
> >>> We have provided user option to chose ciphers as well.
> > All these are in the application space,no changes have been done and
> > they have been working good with OpenSSL 1.0.1c. Only the library is
> > upgraded to OpenSSL 1.0.2d.I have used AES256-CBC and AES128 CBC ciphers
> > and with both the ciphers issue is seen.
> >
> > Are you able to provide a packet capture?
> >>> Please find the attached traces for server mode.
> > What O/S is this on?
> >>>This is built for WinCE and Vxworks
>
> Thanks. Please could you also send the exact patch that you applied that
> resolved the issue?
>
> Matt
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151204/5c01e082/attachment.html>


More information about the openssl-users mailing list