[openssl-users] CBC ciphers + TLS 1.0 protocol does not work in OpenSSL 1.0.2d

Jayalakshmi bhat bhat.jayalakshmi at gmail.com
Fri Dec 4 18:57:07 UTC 2015 

Hi Jakob

CPU is ARMARCH4. WinCE version is 6.0. I will get the compiler details
shortly.

Regards
Jaya

On Fri, Dec 4, 2015 at 6:05 PM, Jakob Bohm <jb-openssl at wisemo.com> wrote:

> For clarity, which version of WinCE, and which CPU (Arm,
> MIPS, PPC, x86, SH3, SH4, ...)?
>
> Which Microsoft Compiler version (EVC3, EVC4, one of the
> Visual Studio projects, 3rd party compiler) and which
> exact compiler version (reported by running the compiler
> executable (named according to CPU) with no arguments.
>
> I ask because your proposed fix may be affected by compiler and/or CPU
> quirks.
>
> On 04/12/2015 12:31, Jayalakshmi bhat wrote:
>
> Hi Matt,
>
> Thanks a lot for the response.
>
> Is your application a client or a server? Are both ends using OpenSSL 1.0.2d?
> If not, what is the other end using?
> >>Our device has both TLS client,server apps. As client, device
> communicates with radius server, LDAP server etc.As server device is
> accessed using various web browsers.
> Hence both the end will not be OpenSSL 1.0.2d.
>
> How exactly are you doing that? Which specific cipher are you seeing fail?
> >> We have provided user option to select TLS protocol versions similar to
> the browsers. Depending upon the user configurations we set the protocol
> flags (SSL_OP_NO_TLSv1,SSL_OP_NO_TLSv1_1, SSL_OP_NO_TLSv1_2) in the SSL
> context using SSL_CTX_clear_options/SSL_CTX_set_options.
> >> We have provided user option to chose ciphers as well.
> All these are in the application space,no changes have been done and they
> have been working good with OpenSSL 1.0.1c. Only the library is upgraded to
> OpenSSL 1.0.2d.I have used AES256-CBC and AES128 CBC ciphers and with
> both the ciphers issue is seen.
>
> Are you able to provide a packet capture?
> >> Please find the attached traces for server mode.
> What O/S is this on?
> >>This is built for WinCE and Vxworks
>
> Regards
> Jaya
>
>
>
> On Fri, Dec 4, 2015 at 3:02 PM, Matt Caswell <matt at openssl.org> wrote:
>
>> Hello Jaya
>>
>> We're going to need some more information. There isn't a generic problem
>> with CBC ciphers and TLS1.0 in 1.0.2d (it's working fine for me) - so
>> there is something specific about your environment that is causing the
>> issue. Comments inserted below.
>>
>> On 04/12/15 06:53, Jayalakshmi bhat wrote:
>> > Hi All,
>> >
>> >
>> >
>> > Recently we have ported OpenSSL 1.0.2d. Everything works perfect except
>> > the below explained issue.
>>
>> Is your application a client or a server? Are both ends using OpenSSL
>> 1.0.2d? If not, what is the other end using?
>>
>>
>> > When we enable only TLS 1.0 protocol and select CBC ciphers,
>>
>> How exactly are you doing that? Which specific cipher are you seeing fail?
>>
>>
>> > Now my question is whatever I did is it correct?
>>
>> That would not be a recommended solution
>>
>> > Or Do need to replace
>> > complete s3_cbc.c with OpenSSL 1.0.1e?
>>
>> No. You cannot just copy and paste stuff from 1.0.1 to 1.0.2.
>>
>> Some other questions:
>>
>> Are you able to provide a packet capture?
>> How did you build OpenSSL...i.e. what "Configure" options did you use?
>> What O/S is this on?
>>
>> Matt
>> _______________________________________________
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>>
>
>
>
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
>
> Enjoy
>
> Jakob
> --
> Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
> Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
> This public discussion message is non-binding and may contain errors.
> WiseMo - Remote Service Management for PCs, Phones and Embedded
>
>
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151205/d14f7317/attachment-0001.html>

More information about the openssl-users mailing list