[openssl-users] Integrating New Cipher Suite
Wallboy
wallboy at wallboy.ca
Sun Oct 1 13:48:44 UTC 2017
Hi,
I'm also interested in adding a few "pseudo" ciphersuites to OpenSSL.
Notably the 16 GREASE ones Chrome currently uses (0x0A0A, 0x1A1A...0xFAFA).
I made similar changes to the files listed in this thread and compiled
successfully (based on 1.1.0f). I see the new cipher when doing "openssl
ciphers ALL:eNULL".
However I had the same issue that when trying to include it using s_client,
the ClientHello message did not actually send it:
openssl s_client -cipher "ECDHE-RSA-AES256-SHA:GREASE-0A0A" -connect
www.google.com:443 -servername www.google.com
ClientHello contained two ciphersuites. The first one listed and also the
SCSV cipher
I then tried this:
openssl s_client -cipher "ECDHE-RSA-AES256-SHA:GREASE-0A0A:@SECLEVEL=0"
-connect www.google.com:443 -servername www.google.com
Bingo! But the ClientHello now sends 4 Ciphersuites. The first one listed,
followed by my GREASE pseudo cipher, then TLS_RSA_WITH_RC4_128_MD5, then the
SCSV cipher.
I'm not sure why that RC4 cipher is sent. Although it probably has to do
with the fact I structured that GREASE cipher after it:
{
1,
SSL3_TXT_GREASE1,
SSL3_CK_GREASE1,
SSL_kRSA,
SSL_aRSA,
SSL_RC4,
SSL_MD5,
SSL3_VERSION, TLS1_2_VERSION,
0, 0,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
If I'm just trying to use it as a pseudo cipher for ClientHello messages,
how should it look in the above struct? And how can I get it to send without
specifying SECLEVEL=0?
Bonus Question: Is it possible to remove the SCSV cipher in the ClientHello?
Thanks for any help
--
Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
More information about the openssl-users
mailing list