[openssl-users] CBC ciphers + TLS 1.0 protocol does not work in OpenSSL 1.0.2d

Jakob Bohm jb-openssl at wisemo.com
Fri Dec 4 12:35:27 UTC 2015 

For clarity, which version of WinCE, and which CPU (Arm,
MIPS,PPC, x86, SH3, SH4, ...)?

Which Microsoft Compiler version (EVC3, EVC4, one of the
Visual Studio projects, 3rd party compiler) and which
exact compiler version (reported by running the compiler
executable (named according to CPU) with no arguments.

I ask because your proposed fix may be affected by compiler and/or CPU 
quirks.

On 04/12/2015 12:31, Jayalakshmi bhat wrote:
> Hi Matt,
>
> Thanks a lot for the response.
>
> Is your application a client or a server? Are both ends using OpenSSL 
> 1.0.2d? If not, what is the other end using?
> >>Our device has both TLS client,server apps. As client, device communicates with radius 
> server, LDAP server etc.As server device is accessed using various 
> web browsers.
> Hence both the end will not be OpenSSL 1.0.2d.
>
> How exactly are you doing that? Which specific cipher are you seeing fail?
> >> We have provided user option to select TLS protocol versions similar to the browsers. 
> Depending upon the user configurations we set the protocol flags 
> (SSL_OP_NO_TLSv1,SSL_OP_NO_TLSv1_1, SSL_OP_NO_TLSv1_2) in the SSL 
> context using SSL_CTX_clear_options/SSL_CTX_set_options.
> >> We have provided user option to chose ciphers as well.
> All these are in the application space,no changes have been done and 
> they have been working good with OpenSSL 1.0.1c. Only the library is 
> upgraded to OpenSSL 1.0.2d.I have used AES256-CBC and AES128 CBC 
> ciphers and with both the ciphers issue is seen.
>
> Are you able to provide a packet capture?
> >> Please find the attached traces for server mode.
> What O/S is this on?
> >>This is built for WinCE and Vxworks
>
> Regards
> Jaya
>
>
>
> On Fri, Dec 4, 2015 at 3:02 PM, Matt Caswell <matt at openssl.org 
> <mailto:matt at openssl.org>> wrote:
>
>     Hello Jaya
>
>     We're going to need some more information. There isn't a generic
>     problem
>     with CBC ciphers and TLS1.0 in 1.0.2d (it's working fine for me) - so
>     there is something specific about your environment that is causing the
>     issue. Comments inserted below.
>
>     On 04/12/15 06:53, Jayalakshmi bhat wrote:
>     > Hi All,
>     >
>     >
>     >
>     > Recently we have ported OpenSSL 1.0.2d. Everything works perfect
>     except
>     > the below explained issue.
>
>     Is your application a client or a server? Are both ends using OpenSSL
>     1.0.2d? If not, what is the other end using?
>
>
>     > When we enable only TLS 1.0 protocol and select CBC ciphers,
>
>     How exactly are you doing that? Which specific cipher are you
>     seeing fail?
>
>
>     > Now my question is whatever I did is it correct?
>
>     That would not be a recommended solution
>
>     > Or Do need to replace
>     > complete s3_cbc.c with OpenSSL 1.0.1e?
>
>     No. You cannot just copy and paste stuff from 1.0.1 to 1.0.2.
>
>     Some other questions:
>
>     Are you able to provide a packet capture?
>     How did you build OpenSSL...i.e. what "Configure" options did you use?
>     What O/S is this on?
>
>     Matt
>     _______________________________________________
>     openssl-users mailing list
>     To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
>
>
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151204/77d8dece/attachment-0001.html>

More information about the openssl-users mailing list