[openssl-users] Integrating New Cipher Suite

Wallboy wallboy at wallboy.ca
Sun Oct 1 13:48:44 UTC 2017


Hi,

I'm also interested in adding a few "pseudo" ciphersuites to OpenSSL.
Notably the 16 GREASE ones Chrome currently uses (0x0A0A, 0x1A1A...0xFAFA).

I made similar changes to the files listed in this thread and compiled
successfully (based on 1.1.0f). I see the new cipher when doing "openssl
ciphers ALL:eNULL". 

However I had the same issue that when trying to include it using s_client,
the ClientHello message did not actually send it:

openssl s_client -cipher "ECDHE-RSA-AES256-SHA:GREASE-0A0A" -connect
www.google.com:443 -servername www.google.com

ClientHello contained two ciphersuites. The first one listed and also the
SCSV cipher

I then tried this:

openssl s_client -cipher "ECDHE-RSA-AES256-SHA:GREASE-0A0A:@SECLEVEL=0"
-connect www.google.com:443 -servername www.google.com

Bingo! But the ClientHello now sends 4 Ciphersuites. The first one listed,
followed by my GREASE pseudo cipher, then TLS_RSA_WITH_RC4_128_MD5, then the
SCSV cipher.

I'm not sure why that RC4 cipher is sent. Although it probably has to do
with the fact I structured that GREASE cipher after it:

     {
     1,
     SSL3_TXT_GREASE1,
     SSL3_CK_GREASE1,
     SSL_kRSA,
     SSL_aRSA,
     SSL_RC4,
     SSL_MD5,
     SSL3_VERSION, TLS1_2_VERSION,
     0, 0,
     SSL_NOT_DEFAULT | SSL_MEDIUM,
     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
     128,
     128,
     },

If I'm just trying to use it as a pseudo cipher for ClientHello messages,
how should it look in the above struct? And how can I get it to send without
specifying SECLEVEL=0?

Bonus Question: Is it possible to remove the SCSV cipher in the ClientHello?

Thanks for any help
    



--
Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html


More information about the openssl-users mailing list