Monday, August 1, 2016

apache 2.2 - OpenSSL able to negotiate a cipher that isn't supported

We have to be a little limited with out cipher selection for various reasons, and one of the ciphers we can't use is AES256-GCM-SHA384.



We can prove that that cipher is available with this command:



$ openssl s_client -cipher AES256-GCM-SHA384 -connect hostname:443



...which works fine on Centos 6.6, OpenSSL 1.0.1e-fips 11 Feb 2013. It connects and displays:




New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384




It doesn't work from my Mac (OpenSSL 0.9.8zd 8 Jan 2015) or from the server itself (OpenSSL 1.0.1m 19 Mar 2015 (Library: OpenSSL 1.0.0d 8 Feb 2011)), in both cases returning a message like:





38200:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher
match:/SourceCache/OpenSSL098/OpenSSL098-52.20.2/src/ssl/ssl_lib.c:1223




That the connection from Centos works is confusing to me, because running this on the (Solaris) server:



$ openssl ciphers | sed "s/:/\\n/g" | grep -i gcm


...produces an empty list, as though GCM ciphers don't exist. The same command on the Centos install lists a handful of selections.




The Apache instance is using the copy of OpenSSL that I'm looking at and not some other random one.



I suspect that I'm missing a key point. Does anyone have an idea of what might be going on?

No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...