[openssl-users] The default cipher of executable 'openssl'

Aaron wangqun at alumni.nus.edu.sg
Fri Jun 12 06:19:17 UTC 2015

Hi Dave,

Thanks for your comments.

I am not really familiar with OpenSSL, so some parts of my descriptions may
not be not very clear.

Right, I am talking about s_server subcommand. You mentioned that there is
no change in this area. However I can easily show something is change using
s_server subcommand. I am using original OpenSSL code to build my 'openssl',
to this change is not from me.

1) 1.0.1l 
./apps/openssl s_server -ssl3 -cert certdb/ssl_server.pem -WWW -CAfile
Using default temp DH parameters 
Using default temp ECDH parameters 

2) 1.0.2 
./apps/openssl s_server -ssl3 -cert certdb/ssl_server.pem -WWW -CAfile
Using default temp DH parameters 

Note that, in 1.0.2, openssl doesn't print out 'Using default temp ECDH

I checked related code in s_server.c and ssl_conf.c, There are some updates.
Some related code is moved from s_server.c to ssl_conf.c. However I haven't
found the root cause of this change. 

I encountered a similar issue when upgrading from OpenSSL 1.0.1l to 1.0.1m.
I paste my analysis and fix below. After I applied my fix, the issue
1) Analysis
File s_server.c was updated in OpenSSL 1.0.1m. Variable 'no_ecdhe' was
uninitialized after the update. This causes the condition of the if
statement (if (!no_ecdheon) {...}) on line 1682 not to be true. Then
ECDHE-RSA-AES256-SHA is not the default temp ECDH parameters of 'openssl
s_server' any more.

2) Fix
273   diff -wruN openssl-1.0.1m.original/apps/s_server.c
274   --- openssl-1.0.1m.original/apps/s_server.c     2015-03-19
06:37:10.000000000 -0700
275   +++ openssl-1.0.1m.working/apps/s_server.c      2015-05-25
01:46:35.000000000 -0700
276   @@ -998,7 +998,7 @@
277        int off = 0;
278        int no_tmp_rsa = 0, no_dhe = 0, nocert = 0;
279    #ifndef OPENSSL_NO_ECDH
280   -    int no_ecdhe;
281   +    int no_ecdhe = 0;
282    #endif
283        int state = 0;
284        const SSL_METHOD *meth = NULL;

I noticed that the issue in 1.0.2 is not the same as the issue in 1.0.1m.
The issue started to appear in 1.0.2 rather than 1.0.2a.


View this message in context: http://openssl.6102.n7.nabble.com/The-behavior-change-of-command-line-utility-openssl-tp58557p58631.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.

More information about the openssl-users mailing list