Re: Question on start_tls() options

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

I tried to send this already but Yahoo seemed to go out to lunch.  Here 
is a try from another account.

I wrote:

> --- Chris Ridd <chr...@me...> wrote:
>>> Allan Streib <ast...@ya...> wrote:
>>
>>>> But regardless of what I specify, after start_tls()
>>>> the cipher method returns "DES-CBC3-SHA"
>>>>
>>>> Can someone provide a sample line of Perl that does
>>>> what I want?
>>
>> [snip]
>>
>>> So, find the openssl program that uses the libraries
>>> that the perl Net::SSLeay module is using, and type:
>>>
>>> % openssl ciphers -v
>>
>> Thanks for the info.  I did that, and there are a
>> bunch of different ciphers supported.  So how do
>> I specify one  or more to start_tls()?  If I do this:
>>
>>     start_tls(ciphers => 'RC4-SHA');
>>
>> (one of the listed ciphers) as a test, I still get
>> 'DES-CBC3-SHA' back from the cipher() method.
>
> I don't understand what's happening.
>
> A couple of things might be:
>
> 1) we're accidentally allowing more cipher suites when using start_tls
>
> 2) we're accidentally allowing more cipher suites when creating any TLS
> connection
>
> 3) the server's breaking RFC 2246 and using a cipher suite that you 
> don't
> want (see section 7.4.1.2. in RFC 2246)
>
> Do you get this same problem when creating an LDAPS connection?

No.  Using Net::LDAPS, I can specify ciphers in new() and it works as 
expected.

> If you don't, then I'm puzzled. Our code setting this stuff is shared
> between LDAPS and start_tls, so it should either *always* work or 
> *always*
> not work :-) One difference: in start_tls we set the sslversion to 
> 'tlsv1'
> if you don't specify it; in LDAPS we set it to 'sslv2/3'. Try changing 
> the
> sslversion.

The following code:

     $mesg =  $ldap->start_tls(ciphers => 'RC4-SHA',
                           sslversion => 'sslv2/3');
     print "start_tls: ",$mesg->error,"\n";

     $mesg = $ldap->cipher();
     print "Cipher is ",$mesg,"\n";

Results in:

     start_tls: Success
     Cipher is DES-CBC3-SHA

Omitting the sslversion arg has no effect.

> If you *do* get the same problem, then we can try some stuff to work out
> what's happening.
>
> Basically, try to connect to your LDAPS port using the openssl s_client
> utility, using a variety of values for the -cipher option, and find out
> what gets negotiated.
>
> eg
>
> openssl s_client -connect host:port -tls1 -state -cipher ALL
> openssl s_client -connect host:port -tls1 -state -cipher RC4-SHA
> openssl s_client -connect host:port -tls1 -state -cipher DES-CBC3-SHA
> openssl s_client -connect host:port -tls1 -state -cipher IDEA-CBC-SHA
>
> In each case, what gets printed by the s_client program? You should 
> see a
> line like:
>
> New, TLSv1/SSLv3, Cipher is DES-CBC-SHA
>
> towards the end of the output each time. (Varying the Cipher value,
> perhaps.)

All of the above works as expected.

Allan