From: Allan S. <as...@in...> - 2001-11-21 18:30:28
|
I tried to send this already but Yahoo seemed to go out to lunch. Here is a try from another account. I wrote: > --- Chris Ridd <chr...@me...> wrote: >>> Allan Streib <ast...@ya...> wrote: >> >>>> But regardless of what I specify, after start_tls() >>>> the cipher method returns "DES-CBC3-SHA" >>>> >>>> Can someone provide a sample line of Perl that does >>>> what I want? >> >> [snip] >> >>> So, find the openssl program that uses the libraries >>> that the perl Net::SSLeay module is using, and type: >>> >>> % openssl ciphers -v >> >> Thanks for the info. I did that, and there are a >> bunch of different ciphers supported. So how do >> I specify one or more to start_tls()? If I do this: >> >> start_tls(ciphers => 'RC4-SHA'); >> >> (one of the listed ciphers) as a test, I still get >> 'DES-CBC3-SHA' back from the cipher() method. > > I don't understand what's happening. > > A couple of things might be: > > 1) we're accidentally allowing more cipher suites when using start_tls > > 2) we're accidentally allowing more cipher suites when creating any TLS > connection > > 3) the server's breaking RFC 2246 and using a cipher suite that you > don't > want (see section 7.4.1.2. in RFC 2246) > > Do you get this same problem when creating an LDAPS connection? No. Using Net::LDAPS, I can specify ciphers in new() and it works as expected. > If you don't, then I'm puzzled. Our code setting this stuff is shared > between LDAPS and start_tls, so it should either *always* work or > *always* > not work :-) One difference: in start_tls we set the sslversion to > 'tlsv1' > if you don't specify it; in LDAPS we set it to 'sslv2/3'. Try changing > the > sslversion. The following code: $mesg = $ldap->start_tls(ciphers => 'RC4-SHA', sslversion => 'sslv2/3'); print "start_tls: ",$mesg->error,"\n"; $mesg = $ldap->cipher(); print "Cipher is ",$mesg,"\n"; Results in: start_tls: Success Cipher is DES-CBC3-SHA Omitting the sslversion arg has no effect. > If you *do* get the same problem, then we can try some stuff to work out > what's happening. > > Basically, try to connect to your LDAPS port using the openssl s_client > utility, using a variety of values for the -cipher option, and find out > what gets negotiated. > > eg > > openssl s_client -connect host:port -tls1 -state -cipher ALL > openssl s_client -connect host:port -tls1 -state -cipher RC4-SHA > openssl s_client -connect host:port -tls1 -state -cipher DES-CBC3-SHA > openssl s_client -connect host:port -tls1 -state -cipher IDEA-CBC-SHA > > In each case, what gets printed by the s_client program? You should > see a > line like: > > New, TLSv1/SSLv3, Cipher is DES-CBC-SHA > > towards the end of the output each time. (Varying the Cipher value, > perhaps.) All of the above works as expected. Allan |