openssl-fips configure parameters to force IANA cipher suite compliance

Jakob Bohm jb-openssl at wisemo.com
Wed Jul 3 07:34:10 UTC 2019


On 02/07/2019 22:13, Larry Jordan via openssl-users wrote:
>
> I want to build an openssl-fips canister to force IANA cipher suite 
> compliance.
>
> With the help of an openssl-iana mapping 
> (https://testssl.sh/openssl-iana.mapping.html) I can identify the 
> corresponding OpenSSL cipher suites.
>
Not sure what you mean?  To my knowledge IANA doesn't (and has no authority
to) define TLS compliance requirements.  They merely keep a database of
various numbers and names assigned in Internet standards ("Internet Assigned
Numbers Authority").

And the openssl-fips canister is a very specific, legally defined exact 
binary
that has gone through expensive US-government tests to allow use by said US
government, with absolutely no changes permitted, even to fix security bugs!

Now it so happens that since long before there were any Internet standards
for SSL/TLS, the OpenSSL/SSLeay family of libraries have used slightly
different names for the numbered cipher suites, especially the ones that
existed before official IETF standards were established.

The key spelling differences obviously being:

1. OpenSSL doesn't put TLS_ in front and _WITH_ in the middle of all the
   names, because that just gets in the way when administrators type in
   configuration changes on their servers.

2. OpenSSL uses dash, not underscore.

3. Because it was the historic default, OpenSSL lets you omit the "RSA_" and
   CBC_ in those cipher suite names.

4. OpenSSL omits the _ or - between AES and the bit count, just like IETF
   already does with SHA.

5. For triple-DES (once the strongest common algorithm, and thus still
   needed to talk to older systems), OpenSSL historically considered it a
   variant of the CBC mode for DES, not a variant of DES for CBC mode.
    Thus the oldest 3DES_CBC cipher suites use DES-CBC3 in their names,
   while the new ones follow IETF naming.  Similarly, DHE_ is spelled EDH-
   in older suites.

6. Whatever user interface a program runs on top of OpenSSL can display the
   names however it wants.

7. If a program wants to map the IETF names to the OpenSSL names, it can
   probably start by doing the string substitutions in differences 1 to 4
   above, then add some special cases for things like
      TLS_DHE_RSA_WITH_3DES_CBC_SHA maps via rules to
      DHE-RSA-3DES-CBC-SHA which maps via special case lookup to
      EDH-RSA-DES-CBC3-SHA

8. To be absolutely sure you handle all known cases, you have to find the
   OpenSSL source file that defines the names and check it against the IANA
   database of cipher suite numbers from IETF standards and non-IETF 
extensions
   (Such as Camelia and GOST cipher suites).


> IANA OpenSSL
>
> TLS_RSA_WITH_AES_128_CBC_SHA as defined in RFC 5246 [0x2f] AES128-SHA
>
> TLS_RSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5246 [0x3c] 
> AES128-SHA256
>
> TLS_RSA_WITH_AES_256_CBC_SHA256 as defined in RFC 5246 [0x3d] 
> AES256-SHA256
>
> TLS_RSA_WITH_AES_256_GCM_SHA384 as defined in RFC 5288 [0x9d] 
> AES256-GCM-SHA384
>
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5246 [0x67] 
> DHE-RSA-AES128-SHA256
>
> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 as defined in RFC 5246 [0x6b] 
> DHE-RSA-AES256-SHA256
>
> TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 as defined in RFC 5288 [0x9f] 
> DHE-RSA-AES256-GCM-SHA384
>
> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 as defined in RFC 
> 5289                               [0xc023] ECDHE-ECDSA-AES128-SHA256
>
> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 as defined in RFC 
> 5289                             [0xc02b] ECDHE-ECDSA-AES128-GCM-SHA256
>
> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 as defined in RFC 
> 5289                               [0xc024] ECDHE-ECDSA-AES256-SHA384
>
> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 as defined in RFC 
> 5289                             [0xc02c] ECDHE-ECDSA-AES256-GCM-SHA384
>
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5289 [0xc027] 
> ECDHE-RSA-AES128-SHA256
>
> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 as defined in RFC 
> 5289                                  [0xc02f] ECDHE-RSA-AES128-GCM-SHA256
>
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 as defined in RFC 5289 [0xc028] 
> ECDHE-RSA-AES256-SHA384
>
> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 as defined in RFC 
> 5289                                  [0xc030] ECDHE-RSA-AES256-GCM-SHA384
>
> How would I configure openssl-fips to force this precise compliance, 
> eliminating all other cipher suites?
>
> Thank you.
>
> --Larry
>
> C++ Developer
>


Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded



More information about the openssl-users mailing list