cipherlist with only tlsv1.3 ciphers reports error?

PGNet Dev pgnet.dev at gmail.com
Fri Jul 19 19:48:31 UTC 2019 

> Works for me:

heh.  of COURSE it does!

sanity check here,

  openssl ciphers  -stdname -s -V 'TTLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384'

	Error in cipher list
	140042399306176:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl/ssl_lib.c:2549:


> Different OpenSSL release?

yes

openssl version
	OpenSSL 1.1.1c  28 May 2019

> Difference in build configuration?

yes

openssl version -f -p
	platform: linux-x86_64
	compiler: /usr/bin/gcc-9 -fPIC -pthread -m64 -Wa,--noexecstack -O3 -Wall -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fmessage-length=0 -grecord-gcc-switches -march=native -mtune=native -fno-common -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG -D_GNU_SOURCE -DOPENSSL_NO_BUF_FREELISTS -DOPENSSL_NO_HEARTBEATS -DPURIFY -DSSL_FORBID_ENULL -DTERMIO -O3 -Wall -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fmessage-length=0 -grecord-gcc-switches -march=native -mtune=native -D_FORTIFY_SOURCE=2

which is quite different than yours. the config which I start with

	./config -v \
	 --prefix=/usr/local/openssl11 \
	 --openssldir=/usr/local/openssl11 \
	 --libdir=lib64 \
	 -D_GNU_SOURCE \
	 -DOPENSSL_NO_BUF_FREELISTS \
	 -DOPENSSL_NO_HEARTBEATS \
	 -DPURIFY \
	 -DSSL_FORBID_ENULL \
	 -DTERMIO \
	 -Wa,--noexecstack \
	 -Wl,-z,relro,-z,now \
	 -Wall \
	 -Wl,-rpath=/usr/local/openssl11 \
	 -fno-common \
	 threads shared \
	 no-comp no-zlib no-zlib-dynaemic \
	 enable-ec_nistp_64_gcc_128 \
	 no-sctp \
	 no-idea \
	 no-mdc2 \
	 no-rc2 \
	 no-rc5 \
	 no-ssl3 \
	 no-weak-ssl-ciphers \
	 no-nextprotoneg

That, too, is 'old' (been in use for a loooong time ...), and probably can benefit from some clean-up.

As to what of that^ is causing my fail ... ? not immediately clear what the culprit is.

Before I start decomposing the config difference, anything obvious leap out at you?

> Configuration file difference?

which config file are you referring to?

More information about the openssl-users mailing list