[openssl-users] AESCBC support in SSL

ASHIQUE CK ckashiquekvk at gmail.com
Mon Nov 19 05:42:46 UTC 2018


Hi,
I had given all the cipher strings for  "SSL_CTX_set_cipher_list" which we
get under the command 'openssl ciphers' that includes CBC, but any of them
didnot worked. All of them showed the error "error:141640B5:SSL
routines:tls_construct_client_hello:no ciphers available". I have used
TLSv1_2 or SSLv23.
Also I have tried setting  these strings for "SSLCipherSuite" at apache
server configuration. But it makes no change for choosing the server
default ciphersuit "ECDHE-RSA-AES256-GCM-SHA384".

Thanks

On Fri, Nov 16, 2018 at 9:15 PM Viktor Dukhovni <openssl-users at dukhovni.org>
wrote:

>
>
> > On Nov 16, 2018, at 7:45 AM, ASHIQUE CK <ckashiquekvk at gmail.com> wrote:
> >
> > Does SSL connection supports AESCBC?
>
> Yes, but not under that name.
>
> >  I could not set AESCBC in "SSL_CTX_set_cipher_list" at client side or
> in "SSLCipherSuite" at apache server side.
>
> For example (constrained also to RSA and ECDHE to keep the list short):
>
>   $ openssl ciphers -v 'AES128+aRSA+kECDHE:!AESGCM'
>   ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256
>   ECDHE-RSA-AES128-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1
>
> There isn't a cipherlist property that specifically selects CBC, so to
> get *only* CBC, you need to exclude AESGCM (and perhaps also AESCCM).
>
> --
>         Viktor.
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20181119/257294c1/attachment.html>


More information about the openssl-users mailing list