Open drwetter opened 9 years ago
Hi @drwetter , I suspect this has something to do with the ordering of ciphers. Check line 1567 of ssl/ssl_ciph.c, where CHACHA20-POLY1305 is explicitly being set as first (preferred) cipher.
0xCC,0x13 - ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=ChaCha20(256) Mac=AEAD
But what's 0xff03 ? Are you using the ghost-enabled configure file ? I suspect one of those ciphers (which isn't expected)
Yes, I used -DTEMP_GOST_TLS
which gives GOST-MD5
+ GOST-GOST94
(300ff00
, 300ff01
) directly without engine , but not 300ff03
.
Ok, but how come then the test failed?
can you try
./ssltest -cipher "GOST-MD5"
./ssltest -cipher "GOST-GOST94"
If that fails - could you try the same with the official repo ?
And could you check the output of
openssl engine gost -vvvv -t -c
Which should show the correct ciphers ?
Aaah, I think I know what's happening... The SSL tests don't create a gost94 key, which is necessary for the GOST(94) ciphers. This is probably an upstream issue with testing, and it probably works, but the test script is borked. You could try creating a gost94 key to see if everything works correctly, with something like:
openssl req -new -nodes -batch -subj "/C=DE/ST=Deutschland/L=Hamburg/O=Dirk/OU=IT Department/CN=dirk.hamburg.de" -newkey gost94 -pkeyopt paramset:A -keyout gost94.key -out gost94.pem
openssl ca -keyfile cacert.key -cert cacert.pem -policy policy_anything -batch -out gost94.crt -infiles gost94.pem
Am 07/20/2015 um 05:28 PM schrieb Peter Mosmans:
can you try
|./ssltest -cipher "GOST-MD5" ./ssltest -cipher "GOST-GOST94" |
you seem right, see fopen call, but there's a bit I do not understand:
prompt% ./test/ssltest -cipher "GOST-MD5"
Available compression methods:
1: zlib compression
160118820:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl_lib.c:1372:
160118820:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl_lib.c:1372:
160118820:error:02001002:system library:fopen:No such file or directory:bss_file.c:391:fopen('../apps/server.pem','r')
160118820:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:393:
160118820:error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib:ssl_rsa.c:452:
ERROR in CLIENT
160118820:error:140740B5:SSL routines:SSL23_CLIENT_HELLO:no ciphers available:s23_clnt.c:510:
TLSv1.2, cipher (NONE) (NONE)
prompt% ./test/ssltest -cipher "GOST-GOST94"
Available compression methods:
1: zlib compression
142526500:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl_lib.c:1372:
142526500:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl_lib.c:1372:
142526500:error:02001002:system library:fopen:No such file or directory:bss_file.c:391:fopen('../apps/server.pem','r')
142526500:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:393:
142526500:error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib:ssl_rsa.c:452:
ERROR in CLIENT
142526500:error:140740B5:SSL routines:SSL23_CLIENT_HELLO:no ciphers available:s23_clnt.c:510:
TLSv1.2, cipher (NONE) (NONE)
1 handshakes of 256 bytes done
prompt%
But I am still confused as those two are not the ones failed during the test -- that was 300ff03 = GOST-GOST89STREAM .
But:
./test/ssltest -cipher "TESTSSL.SH.RULES"
Available compression methods:
1: zlib compression
158070820:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl_lib.c:1372:
158070820:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl_lib.c:1372:
158070820:error:02001002:system library:fopen:No such file or directory:bss_file.c:391:fopen('../apps/server.pem','r')
158070820:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:393:
158070820:error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib:ssl_rsa.c:452:
ERROR in CLIENT
158070820:error:140740B5:SSL routines:SSL23_CLIENT_HELLO:no ciphers available:s23_clnt.c:510:
TLSv1.2, cipher (NONE) (NONE)
1 handshakes of 256 bytes done
What? ;-)
Cheers, Dirk
openssl engine gost -vvvv -t -c
lists
(gost) Reference implementation of GOST engine
[gost89, gost89-cnt, md_gost94, gost-mac, gost94, gost2001, gost-mac]
[ available ]
CRYPT_PARAMS: OID of default GOST 28147-89 parameters
(input flags): STRING
Hi Peter,
I wasn't able to get
make report
finishing without errors;Any clue what's happening?
Thx, Dirk