[openssl-users] Help with ssl error

Viktor Dukhovni openssl-users at dukhovni.org
Wed Apr 19 17:01:51 UTC 2017


> On Apr 19, 2017, at 12:48 PM, Joseph Southwell <jsouthwell at serengeti.com> wrote:
> 
> Sorry we did do that. It just didn’t look different so I didn’t send it (pasted below). I also have asked for help from the server admin but it is a non English speaking country and they don’t seem to be interested in talking to me. I have another product supposedly using OpenSSL that is currently working fine so it must be possible. That product is using 0.9.8something.

The "0.9.8something" releases support RC4, 3DES, export ciphers, ...
OpenSSL 1.1.0 does not by default include any of these.  You can
get RC4 and 3DES by compiling with weak ciphers enabled, the EXPORT
ciphers are expunged from the code.

> So specifying -cipher "AES128-SHA” will cause it to not use DHE?

Yes, it will offer just that single ciphersuite "0x002f" and nothing
else.  If that does not work, the claim that the server supports RSA
with AES-128-CBC is not credible.

To find out what it does support, build OpenSSL 1.0.2, and try connecting
with that version of "s_client".

Another thing to try is sending an SNI name (-servername ...), perhaps
the server wants to see that, though it seems very unlikely for FTP.

You could also try restricting the protocol to TLS 1.0, perhaps the
server mishandles TLS 1.2 and/or TLS 1.1:

	... -no_tls1_2 -no_tls1_1

-- 
	Viktor.


More information about the openssl-users mailing list