[openssl-dev] [openssl.org #4429] Cannot decrypt RC4-encrypted CMS object

Dr. Stephen Henson steve at openssl.org
Mon Mar 14 22:34:17 UTC 2016

On Mon, Mar 14, 2016, Blumenthal, Uri - 0553 - MITLL wrote:

> On 3/14/16, 14:45, "openssl-dev on behalf of Viktor Dukhovni"
> <openssl-dev-bounces at openssl.org on behalf of openssl-users at dukhovni.org>
> wrote:
> >On Mon, Mar 14, 2016 at 05:45:34PM +0000, Stephan Mühlstrasser via RT
> >wrote:
> >> I had written a message about this issue to openssl-users, but received
> >> no reaction.
> >
> >IIRC RC4 (more generally all stream ciphers) are not supported with
> >CMS, and the bug is that OpenSSL allowed you to use RC4, not that
> >the result failed to decrypt.
> Is there any reason why stream ciphers are not supported with CMS?

Well one reason is that I'm not aware of any standard which defines how to use
stream ciphers with CMS.

OpenSSL should really reject these with an appropriate error. 

> Along the same line, is there any reason why AE(AD) ciphers are not
> supported with ???openssl enc????

The require additional handling such setting parameters and how to handle the
tag. That functionality is not currently present in the enc utility.

Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

More information about the openssl-dev mailing list