Hi all,
cannot get work Camellia cipher with Apache and other software in CentOS 5.9 64 bits.
What I'm doing wrong?
my openssl configuration shows camellia cipher is present:
[code]
#openssl ciphers -v 'CAMELLIA'
ADH-CAMELLIA256-SHA SSLv3 Kx=DH Au=None Enc=Camellia(256) Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1
DHE-DSS-CAMELLIA256-SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(256) Mac=SHA1
CAMELLIA256-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(256) Mac=SHA1
ADH-CAMELLIA128-SHA SSLv3 Kx=DH Au=None Enc=Camellia(128) Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA1
DHE-DSS-CAMELLIA128-SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(128) Mac=SHA1
CAMELLIA128-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(128) Mac=SHA1
[/code]
/etc/httpd/httpd.conf:
[code]
SSLHonorCipherOrder
SSLCipherSuite CAMELLIA:RC4:HIGH:!MD5:!aNULL:!EDH
[/code]
connection error with Camellia:
[code]
#openssl s_client -host host.myhost.com -port 443 -cipher CAMELLIA
CONNECTED(00000003)
16926:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:562:
[/code]
... although no error with AES:
[code]
#openssl s_client -host host.myhost.com -port 443 -cipher AES
CONNECTED(00000003)
depth=0 /C=AU/ST=AU/L=AU/O=myhost/OU=myhost/CN=host.myhost.com/emailAddress=web@myhost.com
verify error:num=18:self signed certificate
verify return:1
..
[/code]
SSLscan shows Camellia cipher is not present:
[code]
sslscan --bugs host.myhost.com:443
_
___ ___| |___ ___ __ _ _ __
/ __/ __| / __|/ __/ _` | '_ \
\__ \__ \ \__ \ (_| (_| | | | |
|___/___/_|___/\___\__,_|_| |_|
Version 1.8.2
http://www.titania.co.uk
Copyright Ian Ventura-Whiting 2009
Testing SSL server host.myhost.com on port 443
Supported Server Cipher(s):
Failed SSLv2 168 bits DES-CBC3-MD5
Failed SSLv2 56 bits DES-CBC-MD5
Failed SSLv2 40 bits EXP-RC2-CBC-MD5
Failed SSLv2 128 bits RC2-CBC-MD5
Failed SSLv2 40 bits EXP-RC4-MD5
Failed SSLv2 128 bits RC4-MD5
Rejected SSLv3 256 bits ADH-AES256-SHA
Rejected SSLv3 256 bits DHE-RSA-AES256-SHA
Rejected SSLv3 256 bits DHE-DSS-AES256-SHA
Accepted SSLv3 256 bits AES256-SHA
Rejected SSLv3 128 bits ADH-AES128-SHA
Rejected SSLv3 128 bits DHE-RSA-AES128-SHA
Rejected SSLv3 128 bits DHE-DSS-AES128-SHA
Accepted SSLv3 128 bits AES128-SHA
Failed SSLv3 40 bits EXP-KRB5-RC4-MD5
Failed SSLv3 40 bits EXP-KRB5-RC2-CBC-MD5
Failed SSLv3 40 bits EXP-KRB5-DES-CBC-MD5
Failed SSLv3 40 bits EXP-KRB5-RC4-SHA
Failed SSLv3 40 bits EXP-KRB5-RC2-CBC-SHA
Failed SSLv3 40 bits EXP-KRB5-DES-CBC-SHA
Failed SSLv3 128 bits KRB5-RC4-MD5
Failed SSLv3 168 bits KRB5-DES-CBC3-MD5
Failed SSLv3 56 bits KRB5-DES-CBC-MD5
Failed SSLv3 128 bits KRB5-RC4-SHA
Failed SSLv3 168 bits KRB5-DES-CBC3-SHA
Failed SSLv3 56 bits KRB5-DES-CBC-SHA
Rejected SSLv3 168 bits ADH-DES-CBC3-SHA
Rejected SSLv3 56 bits ADH-DES-CBC-SHA
Rejected SSLv3 40 bits EXP-ADH-DES-CBC-SHA
Rejected SSLv3 128 bits ADH-RC4-MD5
Rejected SSLv3 40 bits EXP-ADH-RC4-MD5
Rejected SSLv3 168 bits EDH-RSA-DES-CBC3-SHA
Rejected SSLv3 56 bits EDH-RSA-DES-CBC-SHA
Rejected SSLv3 40 bits EXP-EDH-RSA-DES-CBC-SHA
Rejected SSLv3 168 bits EDH-DSS-DES-CBC3-SHA
Rejected SSLv3 56 bits EDH-DSS-DES-CBC-SHA
Rejected SSLv3 40 bits EXP-EDH-DSS-DES-CBC-SHA
Accepted SSLv3 168 bits DES-CBC3-SHA
Rejected SSLv3 56 bits DES-CBC-SHA
Rejected SSLv3 40 bits EXP-DES-CBC-SHA
Rejected SSLv3 40 bits EXP-RC2-CBC-MD5
Accepted SSLv3 128 bits RC4-SHA
Rejected SSLv3 128 bits RC4-MD5
Rejected SSLv3 40 bits EXP-RC4-MD5
Rejected SSLv3 0 bits NULL-SHA
Rejected SSLv3 0 bits NULL-MD5
Rejected TLSv1 256 bits ADH-AES256-SHA
Rejected TLSv1 256 bits DHE-RSA-AES256-SHA
Rejected TLSv1 256 bits DHE-DSS-AES256-SHA
Accepted TLSv1 256 bits AES256-SHA
Rejected TLSv1 128 bits ADH-AES128-SHA
Rejected TLSv1 128 bits DHE-RSA-AES128-SHA
Rejected TLSv1 128 bits DHE-DSS-AES128-SHA
Accepted TLSv1 128 bits AES128-SHA
Failed TLSv1 40 bits EXP-KRB5-RC4-MD5
Failed TLSv1 40 bits EXP-KRB5-RC2-CBC-MD5
Failed TLSv1 40 bits EXP-KRB5-DES-CBC-MD5
Failed TLSv1 40 bits EXP-KRB5-RC4-SHA
Failed TLSv1 40 bits EXP-KRB5-RC2-CBC-SHA
Failed TLSv1 40 bits EXP-KRB5-DES-CBC-SHA
Failed TLSv1 128 bits KRB5-RC4-MD5
Failed TLSv1 168 bits KRB5-DES-CBC3-MD5
Failed TLSv1 56 bits KRB5-DES-CBC-MD5
Failed TLSv1 128 bits KRB5-RC4-SHA
Failed TLSv1 168 bits KRB5-DES-CBC3-SHA
Failed TLSv1 56 bits KRB5-DES-CBC-SHA
Rejected TLSv1 168 bits ADH-DES-CBC3-SHA
Rejected TLSv1 56 bits ADH-DES-CBC-SHA
Rejected TLSv1 40 bits EXP-ADH-DES-CBC-SHA
Rejected TLSv1 128 bits ADH-RC4-MD5
Rejected TLSv1 40 bits EXP-ADH-RC4-MD5
Rejected TLSv1 168 bits EDH-RSA-DES-CBC3-SHA
Rejected TLSv1 56 bits EDH-RSA-DES-CBC-SHA
Rejected TLSv1 40 bits EXP-EDH-RSA-DES-CBC-SHA
Rejected TLSv1 168 bits EDH-DSS-DES-CBC3-SHA
Rejected TLSv1 56 bits EDH-DSS-DES-CBC-SHA
Rejected TLSv1 40 bits EXP-EDH-DSS-DES-CBC-SHA
Accepted TLSv1 168 bits DES-CBC3-SHA
Rejected TLSv1 56 bits DES-CBC-SHA
Rejected TLSv1 40 bits EXP-DES-CBC-SHA
Rejected TLSv1 40 bits EXP-RC2-CBC-MD5
Accepted TLSv1 128 bits RC4-SHA
Rejected TLSv1 128 bits RC4-MD5
Rejected TLSv1 40 bits EXP-RC4-MD5
Rejected TLSv1 0 bits NULL-SHA
Rejected TLSv1 0 bits NULL-MD5
Prefered Server Cipher(s):
SSLv3 128 bits RC4-SHA
TLSv1 128 bits RC4-SHA
[/code]
server keys are generate with option: # openssl genrsa -camellia128 2048
please, some help to locate where is the problem
thanks
problems Camellia cipher with software
problems Camellia cipher with software
Are you sure that `openssl ciphers -v 'CAMELLIA' ` says that it supports it? It does not do so here on CentOS 5.9 but does on 6.4.
[code]
$ openssl ciphers -v 'CAMELLIA'
Error in cipher list
20437:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl_lib.c:1188:
[/code]
[code]
$ openssl ciphers -v 'CAMELLIA'
Error in cipher list
20437:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl_lib.c:1188:
[/code]
Re: problems Camellia cipher with software
[quote]
TrevorH wrote:
Are you sure that `openssl ciphers -v 'CAMELLIA' ` says that it supports it? It does not do so here on CentOS 5.9 but does on 6.4.
[/quote]
oh... No alternative way to support in CentOS 5.9?
thanks!!
TrevorH wrote:
Are you sure that `openssl ciphers -v 'CAMELLIA' ` says that it supports it? It does not do so here on CentOS 5.9 but does on 6.4.
[/quote]
oh... No alternative way to support in CentOS 5.9?
thanks!!
Re: problems Camellia cipher with software
thanks anyway, you save me lot of time. I go for an update.