[openssl-users] Authenticated encryption in CMS with OpenSSL

Christian Böhme christian.boehme at cloudandheat.com
Fri Jul 20 12:32:39 UTC 2018

Hello all,

While investigating if and how OpenSSL in several versions could be
made to support authenticated encryption in CMS [1], I noticed that,
e.g., AES in CCM and GCM modes disappeared completely in newer versions
from the command line tools.

That is, while, e.g.,

> openssl version
OpenSSL 1.0.2g  1 Mar 2016

> openssl enc -ciphers 2>&1 | grep -E -i -- '-(ccm|gcm)'
-aes-128-ccm               -aes-128-cfb               -aes-128-cfb1
-aes-128-gcm               -aes-128-ofb               -aes-128-xts
-aes-192-cbc               -aes-192-ccm               -aes-192-cfb
-aes-192-ecb               -aes-192-gcm               -aes-192-ofb
-aes-256-ccm               -aes-256-cfb               -aes-256-cfb1
-aes-256-gcm               -aes-256-ofb               -aes-256-xts
-gost89-cnt                -id-aes128-CCM             -id-aes128-GCM
-id-aes128-wrap            -id-aes192-CCM             -id-aes192-GCM
-id-aes192-wrap            -id-aes256-CCM             -id-aes256-GCM

provides the modes,

> openssl version
OpenSSL 1.1.0h  27 Mar 2018

> openssl enc -ciphers | grep -E -i -- '-(ccm|gcm)'

does not.

The respective algorithms, such as  EVP_aes_256_gcm() , appear to be available
in both versions' libraries, though.

Would someone perhaps involved in the release process be able to explain
the reasoning behind dropping the authenticated encryption modes from the
command line tools?  Are there plans to extend OpenSSL's current support
for CMS [2] to newer CMS versions?  Or is there even a connection between
the two, preventing the latter?


[1] https://tools.ietf.org/html/rfc5083
[2] https://tools.ietf.org/html/rfc3369

*Christian Böhme*

Developer System Integration


*CLOUD & HEAT Technologies GmbH*
Königsbrücker Str. 96 (Halle 15) | 01099 Dresden
Tel: +49 351 479 3670 - 100
Fax: +49 351 479 3670 - 110
E-Mail: christian.boehme at cloudandheat.com <mailto:christian.boehme at cloudandheat.com>
Web: https://www.cloudandheat.com <https://www.cloudandheat.com>

Handelsregister: Amtsgericht Dresden
Registernummer: HRB 30549
USt.-Ident.-Nr.: DE281093504
Geschäftsführer: Nicolas Röhrs

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 533 bytes
Desc: OpenPGP digital signature
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180720/a2b3f434/attachment.sig>

More information about the openssl-users mailing list