[openssl-users] AESCBC support in SSL

Wed Nov 21 17:28:06 UTC 2018

I think you missed the following:

Because CBC is the oldest block cipher mode in SSL and
TLS, the cipher suites using CBC don't include the
letters "CBC" in their names.They simply don't mention
a different mode (such as GCM or CCM).

For example ECDHE-RSA-AES128-SHA uses AES128 in CBC mode.

On 20/11/2018 10:54, ASHIQUE CK wrote:
> Hi,
> Any replys ?
>
> On Mon, Nov 19, 2018 at 11:39 AM ASHIQUE CK <ckashiquekvk at gmail.com 
> <mailto:ckashiquekvk at gmail.com>> wrote:
>
>     Also I use OpenSSL 1.1.0h.
>
>     On Mon, Nov 19, 2018 at 11:36 AM ASHIQUE CK
>     <ckashiquekvk at gmail.com <mailto:ckashiquekvk at gmail.com>> wrote:
>
>         No, We use Ubuntu 16.04 OS
>
>         On Mon, Nov 19, 2018 at 11:34 AM Dmitry Belyavsky
>         <beldmit at gmail.com <mailto:beldmit at gmail.com>> wrote:
>
>             Do you use any RedHat-based OS?
>
>             On Mon, Nov 19, 2018 at 8:54 AM ASHIQUE CK
>             <ckashiquekvk at gmail.com <mailto:ckashiquekvk at gmail.com>>
>             wrote:
>
>                 Is it the problem with that strings or  TLS/SSL
>                 version or any other ?
>
>                 On Mon, Nov 19, 2018 at 11:12 AM ASHIQUE CK
>                 <ckashiquekvk at gmail.com
>                 <mailto:ckashiquekvk at gmail.com>> wrote:
>
>                     Hi,
>                     I had given all the cipher strings
>                     for  "SSL_CTX_set_cipher_list" which we get under
>                     the command 'openssl ciphers' that includes CBC,
>                     but any of them didnot worked. All of them showed
>                     the error "error:141640B5:SSL
>                     routines:tls_construct_client_hello:no ciphers
>                     available". I have used TLSv1_2 or SSLv23.
>                     Also I have tried setting  these strings for
>                     "SSLCipherSuite" at apache server configuration.
>                     But it makes no change for choosing the server
>                     default ciphersuit "ECDHE-RSA-AES256-GCM-SHA384".
>
>                     Thanks
>
>                     On Fri, Nov 16, 2018 at 9:15 PM Viktor Dukhovni
>                     <openssl-users at dukhovni.org
>                     <mailto:openssl-users at dukhovni.org>> wrote:
>
>
>
>                         > On Nov 16, 2018, at 7:45 AM, ASHIQUE CK
>                         <ckashiquekvk at gmail.com
>                         <mailto:ckashiquekvk at gmail.com>> wrote:
>                         >
>                         > Does SSL connection supports AESCBC?
>
>                         Yes, but not under that name.
>
>                         >  I could not set AESCBC in
>                         "SSL_CTX_set_cipher_list" at client side or in
>                         "SSLCipherSuite" at apache server side.
>
>                         For example (constrained also to RSA and ECDHE
>                         to keep the list short):
>
>                           $ openssl ciphers -v
>                         'AES128+aRSA+kECDHE:!AESGCM'
>                           ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH
>                         Au=RSA Enc=AES(128) Mac=SHA256
>                           ECDHE-RSA-AES128-SHA TLSv1 Kx=ECDH Au=RSA
>                         Enc=AES(128) Mac=SHA1
>
>                         There isn't a cipherlist property that
>                         specifically selects CBC, so to
>                         get *only* CBC, you need to exclude AESGCM
>                         (and perhaps also AESCCM).
>
Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded