<div dir="ltr">Hi Matt,<div><br></div><div>I tried following code but it is crashing @ <b>SSL_CTX_set_ciphersuites</b></div><div>s_ctx = SSL_CTX_new(TLS_method());<br></div><div>SSL_CTX_set_options(s_ctx, SSL_OP_NO_RENEGOTIATION | SSL_OP_CIPHER_SERVER_PREFERENCE);<br></div><div>SSL_CTX_set_min_proto_version(s_ctx, TLS1_2_VERSION);<br></div><div>SSL_CTX_set_ciphersuites(s_ctx, "TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384");<br></div><div><br></div><div>In the debugger I noticed </div><div><br></div><div>s_ctx :: cipher_list & cipher_list_by_id are both NULL</div><div>However tls13_ciphersuites is populated.</div><div>Further in update_cipher_list which is called by SSL_CTX_set_ciphersuites tries to delete this cipher_list and hence crash ?</div><div><br></div><div>Any pointer what I am missing?</div><div><br></div><div>-Thanks</div><div><br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Aug 6, 2019 at 7:48 PM Matt Caswell <<a href="mailto:matt@openssl.org">matt@openssl.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>
<br>
On 06/08/2019 14:58, Chitrang Srivastava wrote:<br>
> Yeah I mean TLS 1.3 cipher , sorry I haven't pasted exact names.<br>
> So after SSL_OP_CIPHER_SERVER_PREFERENCE, server uses <br>
> TLS_1_3_AES_256_SHA_384.<br>
> While without that it uses TLS_1_3_AES_128_SHA_256, which is better in terms of<br>
> performance.<br>
<br>
Ah! Right - now I understand.<br>
<br>
So the option SSL_OP_CIPHER_SERVER_PREFERENCE means that the server prefers the<br>
server's ordering of ciphersuites compared to the clients. With that option set<br>
it will use the first ciphersuite that is in the server's list that is also in<br>
the client's list. Without the set it will use the first ciphersuite that is in<br>
the client's list that is also in the server's list. Server operators often<br>
prefer this because it gives more control over which ciphersuite ultimately gets<br>
used. But that's only really useful if you also look at this list of configured<br>
ciphersuites and make sure they are in your preferred order! Otherwise the<br>
option is fairly pointless!<br>
<br>
For TLSv1.3 the default list is:<br>
<br>
# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \<br>
"TLS_CHACHA20_POLY1305_SHA256:" \<br>
"TLS_AES_128_GCM_SHA256"<br>
<br>
If you want a different order you can use the functions<br>
SSL_CTX_set_ciphersuites() (or SSL_set_ciphersuites()) to amend it:<br>
<br>
<a href="https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_ciphersuites.html" rel="noreferrer" target="_blank">https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_ciphersuites.html</a><br>
<br>
Matt<br>
<br>
> <br>
> Thanks very much,<br>
> Chitrang<br>
> <br>
> Tuesday, August 6, 2019, Matt Caswell <<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a><br>
> <mailto:<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a>>> wrote:<br>
> <br>
> <br>
> <br>
> On 06/08/2019 12:20, Chitrang Srivastava wrote:<br>
> > Noticed that if I set SSL_OP_CIPHER_SERVER_PREFERENCE,<br>
> TLS_1_3_AES_256_SHA_384<br>
> > is being used while without that<br>
> > AES_128_SHA256 is being used and I see client(Chrome) send this as first<br>
> preference.<br>
> > Is there anyway where I can always prefer AES-128-SHA256 cipher suite of<br>
> TLS 1.3?<br>
> <br>
> Hmmm...are you sure?<br>
> <br>
> Those names don't look like OpenSSL names for those ciphersuites. I guess you<br>
> mean TLS_AES_256_GCM_SHA384 and AES128-SHA256. The former is a TLSv1.3<br>
> ciphersuite and the latter is for TLSv1.2 and below. They are mutually<br>
> exclusive. If you negotiate TLSv1.3 then you can't use TLSv1.2 ciphersuites and<br>
> vice versa.<br>
> <br>
> SSL_OP_CIPHER_SERVER_PREFERENCE should not affect the protocol version<br>
> negotiated. OpenSSL negotiates the version *first* before deciding what<br>
> ciphersuite to use. So it should not be the case that<br>
> SSL_OP_CIPHER_SERVER_PREFERENCE suddenly causes a TLSv1.3 ciphersuite to be used<br>
> when a TLSv1.2 ciphersuite was used without it.<br>
> <br>
> Matt<br>
> <br>
> <br>
> ><br>
> > On Tue, Aug 6, 2019 at 3:53 PM Matt Caswell <<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a><br>
> <mailto:<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a>><br>
> > <mailto:<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a> <mailto:<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a>>>> wrote:<br>
> ><br>
> ><br>
> ><br>
> > On 06/08/2019 11:21, Chitrang Srivastava wrote:<br>
> > > Yes , since in my case mostly browser will be used to access<br>
> webserver running<br>
> > > on embedded platform.<br>
> > > Another question, since my webserver is running on embedded platform and<br>
> > it has<br>
> > > limited memory , I have disabled<br>
> > > ARIA/CAMELLIA and few others, is that OK ? because I don't see any<br>
> ciphers<br>
> > > suites which is used in practice.<br>
> ><br>
> > Yes, that should be fine.<br>
> ><br>
> > Matt<br>
> ><br>
> > ><br>
> > ><br>
> > ><br>
> > > On Tue, Aug 6, 2019 at 3:42 PM Matt Caswell <<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a><br>
> <mailto:<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a>><br>
> > <mailto:<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a> <mailto:<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a>>><br>
> > > <mailto:<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a> <mailto:<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a>><br>
> <mailto:<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a> <mailto:<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a>>>>> wrote:<br>
> > ><br>
> > ><br>
> > ><br>
> > > On 06/08/2019 11:07, Chitrang Srivastava wrote:<br>
> > > > Thanks Matt,<br>
> > > ><br>
> > > > So now I have, which i believe is enough ?<br>
> > > ><br>
> > > > SSL_CTX_set_options(s_ctx, SSL_OP_NO_RENEGOTIATION |<br>
> > > > SSL_OP_CIPHER_SERVER_PREFERENCE);<br>
> > > > SSL_CTX_set_min_proto_version(s_ctx, TLS1_2_VERSION);<br>
> > ><br>
> > > This is fine although it obviously prevents connections from<br>
> very old<br>
> > clients<br>
> > > that don't support TLSv1.2. This might not be a problem for you<br>
> > depending on<br>
> > > your situation.<br>
> > ><br>
> > > Matt<br>
> > ><br>
> > > ><br>
> > > > On Tue, Aug 6, 2019 at 3:04 PM Matt Caswell <<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a><br>
> <mailto:<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a>><br>
> > <mailto:<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a> <mailto:<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a>>><br>
> > > <mailto:<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a> <mailto:<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a>><br>
> <mailto:<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a> <mailto:<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a>>>><br>
> > > > <mailto:<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a> <mailto:<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a>><br>
> <mailto:<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a> <mailto:<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a>>><br>
> > <mailto:<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a> <mailto:<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a>><br>
> <mailto:<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a> <mailto:<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a>>>>>> wrote:<br>
> > > ><br>
> > > ><br>
> > > ><br>
> > > > On 06/08/2019 09:42, Chitrang Srivastava wrote:<br>
> > > > > Hi,<br>
> > > > ><br>
> > > > > I am implementing HTTPs server using openssl 1.1.1b.<br>
> > > > > Is it mandatory to setup these API's while creating ssl<br>
> context ?<br>
> > > > ><br>
> > > > > SSL_CTX_set_tmp_ecdh<br>
> > > > ><br>
> > > > > SSL_CTX_set_tmp_dh<br>
> > > ><br>
> > > > By default OpenSSL will automatically use ECDH if appropriate<br>
> > and choose a<br>
> > > > suitable group so there is no need to call<br>
> SSL_CTX_set_tmp_ecdh()<br>
> > > unless you<br>
> > > > want more control over which specific group is used.<br>
> > > ><br>
> > > > OpenSSL will not use DH unless you specifically configure<br>
> it. If you<br>
> > > want to<br>
> > > > make use of DH based ciphersuites then you must either call<br>
> > > SSL_CTX_set_tmp_dh()<br>
> > > > or SSL_CTX_set_dh_auto() (or the SSL_* equivalents).<br>
> Calling the<br>
> > > former enables<br>
> > > > you to configure any arbitrary DH group that you choose.<br>
> Calling the<br>
> > > latter will<br>
> > > > enable the built-in DH groups.<br>
> > > ><br>
> > > > It is not mandatory to call any of the above.<br>
> > > ><br>
> > > > ><br>
> > > > > Also any suggestion what all options one should set while<br>
> > setting up<br>
> > > > server like<br>
> > > > > SSL_CTX_set_options like SSL_OP_NO_SSLv2 |SSL_OP_NO_SSLv3<br>
> > > ><br>
> > > > Don't use the protocol version specific options at all. Use<br>
> > > > SSL_CTX_set_min_proto_version() if you want to specify a<br>
> minimum<br>
> > protocol<br>
> > > > version. SSLv2 is no longer supported at all. SSLv3 is<br>
> compiled<br>
> > out by<br>
> > > default.<br>
> > > ><br>
> > > > Other options that are worth considering are<br>
> > SSL_OP_NO_RENEGOTIATION and<br>
> > > > (possibly) SSL_OP_CIPHER_SERVER_PREFERENCE. Generally you<br>
> don't need<br>
> > > the others<br>
> > > > unless there is a specific problem you are trying to solve.<br>
> > > ><br>
> > > > Matt<br>
> > > ><br>
> > ><br>
> ><br>
> <br>
</blockquote></div>