[openssl-users] CBC ciphers + TLS 1.0 protocol does not work in OpenSSL 1.0.2d

Nounou Dadoun nounou.dadoun at avigilon.com
Fri Dec 4 17:29:54 UTC 2015

Just coincidentally we may have an issue in a pending release that looks much like this scenario as well;
In our case, the server is 1.0.2d and the client is not.

 I'll update details as I get them .. N

Nou Dadoun
Senior Firmware Developer, Security Specialist

Office: 604.629.5182 ext 2632 
Support: 888.281.5182  |  avigilon.com
Follow Twitter  |  Follow LinkedIn

This email, including any files attached hereto (the "email"), contains privileged and confidential information and is only for the intended addressee(s). If this email has been sent to you in error, such sending does not constitute waiver of privilege and we request that you kindly delete the email and notify the sender. Any unauthorized use or disclosure of this email is prohibited. Avigilon and certain other trade names used herein are the registered and/or unregistered trademarks of Avigilon Corporation and/or its affiliates in Canada and other jurisdictions worldwide.

-----Original Message-----
From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Matt Caswell
Sent: Friday, December 04, 2015 5:35 AM
To: openssl-users at openssl.org
Subject: Re: [openssl-users] CBC ciphers + TLS 1.0 protocol does not work in OpenSSL 1.0.2d

On 04/12/15 11:31, Jayalakshmi bhat wrote:
> Hi Matt,
> Thanks a lot for the response. 
> Is your application a client or a server? Are both ends using OpenSSL 
> 1.0.2d? If not, what is the other end using?
>>>Our device has both TLS client,server apps. As client, device 
>>>communicates with radius server, LDAP server etc.As
> server device is accessed using various web browsers. 
> Hence both the end will not be OpenSSL 1.0.2d.
> How exactly are you doing that? Which specific cipher are you seeing fail?
>>> We have provided user option to select TLS protocol versions similar to the browsers. Depending upon the user configurations we set the protocol flags (SSL_OP_NO_TLSv1,SSL_OP_NO_TLSv1_1, SSL_OP_NO_TLSv1_2) in the SSL context using SSL_CTX_clear_options/SSL_CTX_set_options.
>>> We have provided user option to chose ciphers as well. 
> All these are in the application space,no changes have been done and 
> they have been working good with OpenSSL 1.0.1c. Only the library is 
> upgraded to OpenSSL 1.0.2d.I have used AES256-CBC and AES128 CBC 
> ciphers and with both the ciphers issue is seen.
> Are you able to provide a packet capture?
>>> Please find the attached traces for server mode.
> What O/S is this on?
>>>This is built for WinCE and Vxworks

Thanks. Please could you also send the exact patch that you applied that resolved the issue?

openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

More information about the openssl-users mailing list