drwetter
commented
6 years ago OT: did you follow why 0x1304 and 0x1305 (CCM ciphers) aren't in pre3 anymore?
Closed dcooper16 closed 6 years ago
drwetter
commented
6 years ago OT: did you follow why 0x1304 and 0x1305 (CCM ciphers) aren't in pre3 anymore?
dcooper16
commented
6 years ago Hi Dirk,
It seems that 0x1304 and 0x1305 were not removed, but there is something wrong.
With pre3, if the -ciphersuites option is not provided, then the list of TLSv1.3 cipher suites will default to TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256.
So, to create a server that supports all 5 TLSv1.3 cipher suites use:
openssl s_server ... -ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_128_CCM_8_SHA256If I do this and test the server using testssl.sh it shows all 5 TLSv1.3 ciphers. Using the --devel option I can see that testssl.sh can even decrypt the server's response if 0x1304 or 0x1305 is selected.
I run into a problem, however, if I use OpenSSL as a client (e.g., --ssl-native or just using s_client from the command line). According to ssldump, if I use OpenSSL's s_client to connect to the server using s_server and specify 0x1304 and/or 0x1305 as the acceptable cipher suites, the server responds with a ServerHello specifying one of these cipher suites followed by some application data (which is actually the encrypted extensions and certificate). But then the client sends a fatal illegal parameter alert and s_client displays a "wrong cipher returned" error.
If I use an older version of OpenSSL (from 2 weeks ago that implements TLSv1.3 draft 23), I can successfully use s_client to connect to the server using the CCM ciphers.
One of the changes between the two versions of OpenSSL is that the OpenSSL names of the TLSv1.3 ciphers changes. Maybe someone missed a change that needed to be made and that is why OpenSSL is mistakenly reporting a "wrong cipher returned" error now.
drwetter
commented
6 years ago Hi David,
thanks for sharing your experience,
I was just listing the ciphers via '-V ALL:COMPLEMENTOFALL' and realized that those two were missing. in the list.
I haven't found any issue for this upstream. Just compiled it again and still seem to be the case. The listing of the allegedly RC2 ciphers is strange, too. Maybe you should file an issue?
Cheers, Dirk
dcooper16
commented
6 years ago I was just listing the ciphers via '-V ALL:COMPLEMENTOFALL' and realized that those two were missing. in the list.
That's part of https://github.com/openssl/openssl/pull/5392 and the new -ciphersuites option. According to https://github.com/openssl/openssl/blob/master/doc/man1/ciphers.pod:
-ciphersuites val
Sets the list of TLSv1.3 ciphersuites. This list will be combined with any TLSv1.2 and below ciphersuites that have been configured. The format for this list is a simple colon (":") separated list of TLSv1.3 ciphersuite names. By default this value is: "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"So, if you don't include the
-ciphersuitesoption, the 0x1304 and 0x1305 will not be included.
Unfortunately, it seems that -ciphersuites only accepts a list of cipher suite names. It won't accept anything like "ALL".
I may file an issue about the TLSv1.3 CCM ciphers, but I'd like to spend a bit more time trying to figure out what is going wrong.
I'm not sure what you're seeing with RC2, but note that if you do not include a -ciphersuites option, then the three default TLSv1.3 ciphers will appear in the list, regardless of what TLSv1.2 and below cipher suites are specified.
drwetter
commented
6 years ago So, if you don't include the -ciphersuites option, the 0x1304 and 0x1305 will not be included.
Hm, where did you read that in the man page? If openssl ciphers -V 'ALL:COMPLEMENTOFALL' would need -ciphersuites in addition I would question the sense of 'ALL:COMPLEMENTOFALL'
I'm not sure what you're seeing with RC2, but note that if you do not include a -ciphersuites option, then the three default TLSv1.3 ciphers will appear in the list, regardless of what TLSv1.2 and below cipher suites are specified.
OpenSSL 1.1.1 (today's pull):
apps/openssl ciphers -V RC2 master
0x13,0x02 - TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
0x13,0x03 - TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD
0x13,0x01 - TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD@PeterMosmans' fork:
github/bin/openssl.Linux.x86_64 ciphers -V RC2 master
0x03,0x00,0x80 - RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5
0x00,0x61 - EXP1024-RC2-CBC-MD5 SSLv3 Kx=RSA(1024) Au=RSA Enc=RC2(56) Mac=MD5 export
0x00,0x06 - EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
0x04,0x00,0x80 - EXP-RC2-CBC-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 exportLuckily testssl.sh doesn't generate RC2 cipherlists on the fly anymore. But I see also the TLS 1.3 ciphers appearing with apps/openssl ciphers -V RC4 or apps/openssl ciphers -V aNULL.
dcooper16
commented
6 years ago https://github.com/openssl/openssl/blob/master/doc/man1/ciphers.pod:
-ciphersuites val
Sets the list of TLSv1.3 ciphersuites. This list will be combined with any TLSv1.2 and below ciphersuites that have been configured. The format for this list is a simple colon (":") separated list of TLSv1.3 ciphersuite names. By default this value is: "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"cipherlist
A cipher list of TLSv1.2 and below ciphersuites to convert to a cipher preference list. This list will be combined with any TLSv1.3 ciphersuites that have been configured. If it is not included then the default cipher list will be used. The format is described below.
So, 'ALL:COMPLEMENTOFALL' now only refers to TLSv1.2 and below cipher suites. So openssl ciphers -V RC2 now means any TLSv1.2 and below RC2 cipher suites plus the default set of TLSv1.3 cipher suites.
drwetter
commented
6 years ago got it, thanks.
User interface crap IMO. FYI: I filed an issue there for the IMO inconsistent -V RC2 and the like.
A PR was just merged into the OpenSSL 1.1.1 development branch that will require significant changes to testssl.sh in order for it to support use with OpenSSL 1.1.1: see https://github.com/openssl/openssl/pull/5392.
The relatively simple change in https://github.com/openssl/openssl/pull/5392 is that it changes the OpenSSL names for the TLS 1.3 cipher suites. For example, TLS13-AES-128-GCM-SHA256 was changed to TLS_AES_128_GCM_SHA256. When using OpenSSL names, testssl.sh currently checks whether the name begins with "TLS13" to determine whether it is a TLS 1.3 cipher suite.
The more difficult change to address is that OpenSSL 1.1.1 now uses different parameters to configure TLS 1.3 cipher suites from the one used to configure TLS 1.2 and below cipher suites. This affects both the
ciphercommand and the-cipheroption of thes_clientcommand.An example of the change is the following:
Starting with https://github.com/openssl/openssl/pull/5392, if
-ciphersuitesis not present, then it is the same as if it were present with a default list of TLS 1.3 cipher suites (TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256).Similarly with the
s_clientcommand, if-ciphersuitesis not present and-no_tls1_3is not present, the result is the same as if-ciphersuiteswere present and contained a list of the three defaults TLS 1.3 cipher suites.I'll try to work on a PR (or set of PRs) to address this.