[openssl-users] Disable ETM in OpenSSL 1.1.0+

Michael Shirley mshirley at nsslabs.com
Mon Jan 16 17:17:25 UTC 2017

I tested the master branch that adds this capability, but I’m apparently not using the right combination of flags to turn it off – when I attempt s_client/s_server in the 1.1.1dev branch, I’m still seeing the ETM extension offered and negotiated for CBC suites. What would be the correct method to disable ETM using the master branch? 


On 1/16/17, 9:00 AM, "openssl-users on behalf of Matt Caswell" <openssl-users-bounces at openssl.org on behalf of matt at openssl.org> wrote:

    On 16/01/17 14:14, Michael Shirley wrote:
    > It appears that starting with OpenSSL 1.1.0, it is not possible to
    > disable the Encrypt-Then-MAC (ETM) TLS extension for CBC ciphers. Is
    > there an undocumented method to do this, which would also allow me to
    > use the built-in s_server/s_client test mechanism?
    This is a new feature in 1.1.0 that is on by default. Unfortunately
    there is no way to disable it. That capability has since been added to
    the master branch (so will be in 1.1.1) via this commit:
    commit cde6145ba19a2fce039cf054a89e49f67c623c59
    Author:     David Woodhouse <David.Woodhouse at intel.com>
    AuthorDate: Fri Oct 14 00:26:38 2016 +0100
    Commit:     Matt Caswell <matt at openssl.org>
    CommitDate: Mon Oct 17 23:17:39 2016 +0100
        Reviewed-by: Tim Hudson <tjh at openssl.org>
        Reviewed-by: Matt Caswell <matt at openssl.org>
    openssl-users mailing list
    To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4549 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170116/c180a9ff/attachment.bin>

More information about the openssl-users mailing list