[openssl-users] CBC ciphers + TLS 1.0 protocol does not work in OpenSSL 1.0.2d

Matt Caswell matt at openssl.org
Fri Dec 4 13:34:33 UTC 2015

On 04/12/15 11:31, Jayalakshmi bhat wrote:
> Hi Matt,
> Thanks a lot for the response. 
> Is your application a client or a server? Are both ends using
> OpenSSL 1.0.2d? If not, what is the other end using?
>>>Our device has both TLS client,server apps. As client, device communicates with radius server, LDAP server etc.As
> server device is accessed using various web browsers. 
> Hence both the end will not be OpenSSL 1.0.2d.
> How exactly are you doing that? Which specific cipher are you seeing fail?
>>> We have provided user option to select TLS protocol versions similar to the browsers. Depending upon the user configurations we set the protocol flags (SSL_OP_NO_TLSv1,SSL_OP_NO_TLSv1_1, SSL_OP_NO_TLSv1_2) in the SSL context using SSL_CTX_clear_options/SSL_CTX_set_options.
>>> We have provided user option to chose ciphers as well. 
> All these are in the application space,no changes have been done and
> they have been working good with OpenSSL 1.0.1c. Only the library is
> upgraded to OpenSSL 1.0.2d.I have used AES256-CBC and AES128 CBC ciphers
> and with both the ciphers issue is seen.
> Are you able to provide a packet capture?
>>> Please find the attached traces for server mode.
> What O/S is this on?
>>>This is built for WinCE and Vxworks

Thanks. Please could you also send the exact patch that you applied that
resolved the issue?


More information about the openssl-users mailing list