[openssl-users] openssl-users Digest, Vol 29, Issue 20

Schmicker, Robert rschm2 at unh.newhaven.edu
Wed Apr 19 15:40:16 UTC 2017 

After some debugging (exactly as mentioned above) it appears that the cipher suite does not show up in the ClientHello using the s_client/s_server. I modified the cipher for testing to use 512 bits instead of 64 so that it is ranked highest.

Error server side:
SSL routines:tls_post_process_client_hello:no shared cipher:ssl/statem/statem_srvr.c:1979

Error Client side:
SSL routines:ssl3_read_bytes:tlsv1 alert internal error:ssl/record/rec_layer_s3.c:1469:SSL alert number 80

Any idea why the cipher would appear under the list of supported tls1.2 ciphers, yet it does not appear under the ClientHello even if specified with the -cipher option?



Hmm... it's not clear why the cipher isn't being sent in client hello. What
output do you get with -security_debug_verbose option? Also try including
@SECLEVEL=0 in the cipher string.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

The -security_debug_verbose option confirmed it was not being sent in the client hello. Here is the s_server command used:

openssl s_server -accept 6000 -tls1_2 -cert ./cert.pem -key ./key.pem -state -debug -msg -security_debug_verbose -cipher 'ECDHE-RSA-MYCIPHER-SHA256:@SECLEVEL=0'

Output:

Using default temp DH parameters
Security callback: Certificate chain EE key=RSA, bits=4096, security bits=128: yes
ACCEPT
Security callback: Version=TLS 1.3: yes
SSL_accept:before SSL initialization
read from 0x55613d95d540 [0x55613d962b23] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 77                                    ....w
<<< ??? [length 0005]
    16 03 01 00 77
read from 0x55613d95d540 [0x55613d962b28] (119 bytes => 119 (0x77))
0000 - 01 00 00 73 03 03 fa d8-cc c4 e4 fb 70 c1 49 95   ...s........p.I.
0010 - fe 21 20 76 b1 78 2a b9-db 5f b7 af b8 de 9a 2c   .! v.x*.._.....,
0020 - 5e de 74 d1 8f 66 00 00-04 c0 9c 00 ff 01 00 00   ^.t..f..........
0030 - 46 00 0b 00 04 03 00 01-02 00 0a 00 0a 00 08 00   F...............
0040 - 1d 00 17 00 19 00 18 00-23 00 00 00 0d 00 20 00   ........#..... .
0050 - 1e 04 03 05 03 06 03 08-04 08 05 08 06 04 01 05   ................
0060 - 01 06 01 02 03 02 01 02-02 04 02 05 02 06 02 00   ................
0070 - 16 00 00 00 17                                    .....
0077 - <SPACES/NULS>
SSL_accept:before SSL initialization
<<< TLS 1.3, Handshake [length 0077], ClientHello
    01 00 00 73 03 03 fa d8 cc c4 e4 fb 70 c1 49 95
    fe 21 20 76 b1 78 2a b9 db 5f b7 af b8 de 9a 2c
    5e de 74 d1 8f 66 00 00 04 c0 9c 00 ff 01 00 00
    46 00 0b 00 04 03 00 01 02 00 0a 00 0a 00 08 00
    1d 00 17 00 19 00 18 00 23 00 00 00 0d 00 20 00
    1e 04 03 05 03 06 03 08 04 08 05 08 06 04 01 05
    01 06 01 02 03 02 01 02 02 04 02 05 02 06 02 00
    16 00 00 00 17 00 00
Security callback: Version=TLS 1.2: yes
Security callback: : yes
Security callback: Shared Signature Algorithm digest=SHA256, algorithm=ECDSA, security bits=128: yes
Security callback: Shared Signature Algorithm digest=SHA384, algorithm=ECDSA, security bits=192: yes
Security callback: Shared Signature Algorithm digest=SHA512, algorithm=ECDSA, security bits=256: yes
Security callback: Shared Signature Algorithm digest=SHA256, algid=4, security bits=128: yes
Security callback: Shared Signature Algorithm digest=SHA384, algid=5, security bits=192: yes
Security callback: Shared Signature Algorithm digest=SHA512, algid=6, security bits=256: yes
Security callback: Shared Signature Algorithm digest=SHA256, algorithm=RSA, security bits=128: yes
Security callback: Shared Signature Algorithm digest=SHA384, algorithm=RSA, security bits=192: yes
Security callback: Shared Signature Algorithm digest=SHA512, algorithm=RSA, security bits=256: yes
Security callback: Shared Signature Algorithm digest=SHA1, algorithm=ECDSA, security bits=80: yes
Security callback: Shared Signature Algorithm digest=SHA1, algorithm=RSA, security bits=80: yes
Security callback: Shared Signature Algorithm digest=SHA1, algorithm=DSA, security bits=80: yes
Security callback: Shared Signature Algorithm digest=SHA256, algorithm=DSA, security bits=128: yes
Security callback: Shared Signature Algorithm digest=SHA384, algorithm=DSA, security bits=192: yes
Security callback: Shared Signature Algorithm digest=SHA512, algorithm=DSA, security bits=256: yes
Security callback: Shared Signature Algorithm digest=SHA256, algorithm=ECDSA, security bits=128: yes
Security callback: Shared Signature Algorithm digest=SHA384, algorithm=ECDSA, security bits=192: yes
Security callback: Shared Signature Algorithm digest=SHA512, algorithm=ECDSA, security bits=256: yes
Security callback: Shared Signature Algorithm digest=SHA256, algid=4, security bits=128: yes
Security callback: Shared Signature Algorithm digest=SHA384, algid=5, security bits=192: yes
Security callback: Shared Signature Algorithm digest=SHA512, algid=6, security bits=256: yes
Security callback: Shared Signature Algorithm digest=SHA256, algorithm=RSA, security bits=128: yes
Security callback: Shared Signature Algorithm digest=SHA384, algorithm=RSA, security bits=192: yes
Security callback: Shared Signature Algorithm digest=SHA512, algorithm=RSA, security bits=256: yes
Security callback: Shared Signature Algorithm digest=SHA1, algorithm=ECDSA, security bits=80: yes
Security callback: Shared Signature Algorithm digest=SHA1, algorithm=RSA, security bits=80: yes
Security callback: Shared Signature Algorithm digest=SHA1, algorithm=DSA, security bits=80: yes
Security callback: Shared Signature Algorithm digest=SHA256, algorithm=DSA, security bits=128: yes
Security callback: Shared Signature Algorithm digest=SHA384, algorithm=DSA, security bits=192: yes
Security callback: Shared Signature Algorithm digest=SHA512, algorithm=DSA, security bits=256: yes
>>> ??? [length 0005]
    15 03 03 00 02
write to 0x55613d95d540 [0x55613d96be30] (7 bytes => 7 (0x7))
0000 - 15 03 03 00 02 02 50                              ......P
>>> TLS 1.2, Alert [length 0002], fatal internal_error
    02 50
SSL3 alert write:fatal:internal error
SSL_accept:error in error
ERROR
140404400543168:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:ssl/statem/statem_srvr.c:1979:
shutting down SSL
CONNECTION CLOSED
ACCEPT

And the s_client:

openssl s_client -connect localhost:6000 -tls1_2 -state -debug -msg -security_debug_verbose -cipher 'ECDHE-RSA-MYCIPHER-SHA256:@SECLEVEL=0'

Output:

CONNECTED(00000003)
Security callback: Version=TLS 1.3: yes
SSL_connect:before SSL initialization
Security callback: Version=TLS 1.2: yes
Security callback: Signature Algorithm mask=SHA256, algorithm=ECDSA, security bits=128: yes
Security callback: Signature Algorithm mask=SHA256, algid=4, security bits=128: yes
Security callback: Signature Algorithm mask=SHA1, algorithm=DSA, security bits=80: yes
Security callback: Version=TLS 1.2: yes
Security callback: Supported Ciphersuite=ECDHE-RSA-NIGHTGALE-SHA256, security bits=512: yes
Security callback: Version=TLS 1.2: yes
Security callback: Supported Curve=X25519, security bits=128: yes
Security callback: Supported Curve=P-256, security bits=128: yes
Security callback: Supported Curve=P-521, security bits=256: yes
Security callback: Supported Curve=P-384, security bits=192: yes
Security callback: : yes
Security callback: Supported Signature Algorithm digest=SHA256, algorithm=ECDSA, security bits=128: yes
Security callback: Supported Signature Algorithm digest=SHA384, algorithm=ECDSA, security bits=192: yes
Security callback: Supported Signature Algorithm digest=SHA512, algorithm=ECDSA, security bits=256: yes
Security callback: Supported Signature Algorithm digest=SHA256, algid=4, security bits=128: yes
Security callback: Supported Signature Algorithm digest=SHA384, algid=5, security bits=192: yes
Security callback: Supported Signature Algorithm digest=SHA512, algid=6, security bits=256: yes
Security callback: Supported Signature Algorithm digest=SHA256, algorithm=RSA, security bits=128: yes
Security callback: Supported Signature Algorithm digest=SHA384, algorithm=RSA, security bits=192: yes
Security callback: Supported Signature Algorithm digest=SHA512, algorithm=RSA, security bits=256: yes
Security callback: Supported Signature Algorithm digest=SHA1, algorithm=ECDSA, security bits=80: yes
Security callback: Supported Signature Algorithm digest=SHA1, algorithm=RSA, security bits=80: yes
Security callback: Supported Signature Algorithm digest=SHA1, algorithm=DSA, security bits=80: yes
Security callback: Supported Signature Algorithm digest=SHA256, algorithm=DSA, security bits=128: yes
Security callback: Supported Signature Algorithm digest=SHA384, algorithm=DSA, security bits=192: yes
Security callback: Supported Signature Algorithm digest=SHA512, algorithm=DSA, security bits=256: yes
>>> ??? [length 0005]
    16 03 01 00 77
>>> TLS 1.2, Handshake [length 0077], ClientHello
    01 00 00 73 03 03 fa d8 cc c4 e4 fb 70 c1 49 95
    fe 21 20 76 b1 78 2a b9 db 5f b7 af b8 de 9a 2c
    5e de 74 d1 8f 66 00 00 04 c0 9c 00 ff 01 00 00
    46 00 0b 00 04 03 00 01 02 00 0a 00 0a 00 08 00
    1d 00 17 00 19 00 18 00 23 00 00 00 0d 00 20 00
    1e 04 03 05 03 06 03 08 04 08 05 08 06 04 01 05
    01 06 01 02 03 02 01 02 02 04 02 05 02 06 02 00
    16 00 00 00 17 00 00
write to 0x55a837046950 [0x55a8370578f0] (124 bytes => 124 (0x7C))
0000 - 16 03 01 00 77 01 00 00-73 03 03 fa d8 cc c4 e4   ....w...s.......
0010 - fb 70 c1 49 95 fe 21 20-76 b1 78 2a b9 db 5f b7   .p.I..! v.x*.._.
0020 - af b8 de 9a 2c 5e de 74-d1 8f 66 00 00 04 c0 9c   ....,^.t..f.....
0030 - 00 ff 01 00 00 46 00 0b-00 04 03 00 01 02 00 0a   .....F..........
0040 - 00 0a 00 08 00 1d 00 17-00 19 00 18 00 23 00 00   .............#..
0050 - 00 0d 00 20 00 1e 04 03-05 03 06 03 08 04 08 05   ... ............
0060 - 08 06 04 01 05 01 06 01-02 03 02 01 02 02 04 02   ................
0070 - 05 02 06 02 00 16 00 00-00 17                     ..........
007c - <SPACES/NULS>
SSL_connect:SSLv3/TLS write client hello
read from 0x55a837046950 [0x55a83704e653] (5 bytes => 5 (0x5))
0000 - 15 03 03 00 02                                    .....
<<< ??? [length 0005]
    15 03 03 00 02
read from 0x55a837046950 [0x55a83704e658] (2 bytes => 2 (0x2))
0000 - 02 50                                             .P
<<< TLS 1.2, Alert [length 0002], fatal internal_error
    02 50
SSL3 alert read:fatal:internal error
SSL_connect:error in SSLv3/TLS write client hello
139951664014784:error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error:ssl/record/rec_layer_s3.c:1469:SSL alert number 80
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 124 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1492615665
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
However, when viewing the supported ciphers, the cipher I'm attempting to integrate shows up as the first option in priority.

openssl ciphers -s -v
ECDHE-RSA-MYCIPHER-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=MYCIPHER Mac=AEAD

It seems as though when the priority list of ciphers available is being created (I think its the ssl_create_cipher_list on line 1283 ssl/ssl_ciph.c) the newly created cipher is not being built up in the list... maybe? Because when I execute s_server/s_client without specifying a cipher it shows the following list server side:

Shared ciphers:AES128-CCM:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA

So I think if I can find where and how the above list is being created (I assume this list is generated both client and server side), then I think I'm close to being able to use this new cipher in SSL.

Thank you again for your expertise on this.
Rob


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170419/19db1f1b/attachment-0001.html>

More information about the openssl-users mailing list