[Cryptography-dev] Cryptography-dev Digest, Vol 48, Issue 1
Karan karan
karan7868 at gmail.com
Wed Jul 5 11:27:37 EDT 2017
Thanks Cory!
That explains the issue so looks like the cipher being set by the client
just that i need to server support.
Thanks,
Karan.
On Mon, Jul 3, 2017 at 7:35 AM, <cryptography-dev-request at python.org> wrote:
> Send Cryptography-dev mailing list submissions to
> cryptography-dev at python.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://mail.python.org/mailman/listinfo/cryptography-dev
> or, via email, send a message with subject or body 'help' to
> cryptography-dev-request at python.org
>
> You can reach the person managing the list at
> cryptography-dev-owner at python.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Cryptography-dev digest..."
>
>
> Today's Topics:
>
> 1. set_cipher_list() API Question (Karan karan)
> 2. Re: set_cipher_list() API Question (Tristan Seligmann)
> 3. Re: set_cipher_list() API Question (Karan karan)
> 4. Re: set_cipher_list() API Question (Cory Benfield)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 3 Jul 2017 06:18:51 -0700
> From: Karan karan <karan7868 at gmail.com>
> To: cryptography-dev at python.org
> Subject: [Cryptography-dev] set_cipher_list() API Question
> Message-ID:
> <CAKFSe+YD9YHZNzSC2oodU89hiMJGRDwySmg8
> Y_UwsmJbAjtiXA at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi,
>
> I'm trying to set a specific cipher in the ('ECDHE-ECDSA-AES128-GCM-
> SHA256')
> the cipher list using the API: set_cipher_list but im getting the following
> error :
>
> kjoshi at ubuntu64dev:~/openssl_playground$ python test_ex.py
> -----------------------------------
> connected ('192.168.152.132', 443)
> Traceback (most recent call last):
> File "test_ex.py", line 83, in <module>
> main()
> File "test_ex.py", line 65, in main
> cont, initial_session, ssl_conn, tcp_conn = create_ssl_connection()
> File "test_ex.py", line 25, in create_ssl_connection
> cont.set_cipher_list('ECDHE+ECDSA+AES128+GCM+SHA256')
> File "build/bdist.linux-x86_64/egg/OpenSSL/SSL.py", line 975, in
> set_cipher_list
> File "build/bdist.linux-x86_64/egg/OpenSSL/_util.py", line 67, in
> openssl_assert
> File "build/bdist.linux-x86_64/egg/OpenSSL/_util.py", line 54, in
> exception_from_error_queue
> OpenSSL.SSL.Error: [('SSL routines', 'SSL_CTX_set_cipher_list', 'no cipher
> match')]
>
>
> Below is the code that i have:
>
> cont = Context(TLSv1_2_METHOD)
> #cont.set_cipher_list('0xc00e')
> #cont.set_cipher_list('ECDHE+ECDSA+AESGCM+SHA256')
> #cont.set_cipher_list('ECDHE-ECDSA-AES128-GCM-SHA256')
> cont.set_cipher_list('ECDHE+ECDSA+AES128+GCM+SHA256')
> client_ssl = Connection(cont, client)
> client_ssl.set_connect_state()
> client_ssl.do_handshake()
> session_ref = client_ssl.get_session()
>
>
> As seen above i tried numerous combination of word separators (_,-,+) but
> nothing seemed to have helped.
>
> I would appreciate if someone could please let me know on the usage of
> this.I'm sure there must be a way of sending a specific cipher.
> I'm performing a test on my local apache server.
>
> Thanks,
> Karan.
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://mail.python.org/pipermail/cryptography-dev/
> attachments/20170703/636a4ae8/attachment-0001.html>
>
> ------------------------------
>
> Message: 2
> Date: Mon, 03 Jul 2017 14:09:51 +0000
> From: Tristan Seligmann <mithrandi at mithrandi.net>
> To: cryptography-dev at python.org
> Subject: Re: [Cryptography-dev] set_cipher_list() API Question
> Message-ID:
> <CAMcKhMRFBfJCV+24XOiCubLhV2ubu+Vt64LRr2HXYOaz=KawXA at mail.
> gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> On Mon, 3 Jul 2017 at 15:18 Karan karan <karan7868 at gmail.com> wrote:
>
> > #cont.set_cipher_list('ECDHE-ECDSA-AES128-GCM-SHA256')
> >
>
> I believe this is the correct spelling, and it works for me. Perhaps your
> OpenSSL does not have this cipher compiled in?
>
> If you run `openssl ciphers ECDHE-ECDSA-AES128-GCM-SHA256` do you get an
> error or successful cipher output?
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://mail.python.org/pipermail/cryptography-dev/
> attachments/20170703/3bacbdab/attachment-0001.html>
>
> ------------------------------
>
> Message: 3
> Date: Mon, 3 Jul 2017 07:11:57 -0700
> From: Karan karan <karan7868 at gmail.com>
> To: cryptography-dev at python.org
> Subject: Re: [Cryptography-dev] set_cipher_list() API Question
> Message-ID:
> <CAKFSe+a+3_V2QcgmU3gzVu-Ei1Zz6wDFZZcV64CdmGuQjvpmiw@
> mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> I set : cont.set_cipher_list('ECDHE-ECDSA-AES128-GCM-SHA256')
>
> but i see the following error in the logs :
>
> connected ('**.**.**.**', 443)
> Traceback (most recent call last):
> File "test_ex.py", line 83, in <module>
> main()
> File "test_ex.py", line 65, in main
> cont, initial_session, ssl_conn, tcp_conn = create_ssl_connection()
> File "test_ex.py", line 33, in create_ssl_connection
> client_ssl.do_handshake()
> File "build/bdist.linux-x86_64/egg/OpenSSL/SSL.py", line 1638, in
> do_handshake
> File "build/bdist.linux-x86_64/egg/OpenSSL/SSL.py", line 1378, in
> _raise_ssl_error
> File "build/bdist.linux-x86_64/egg/OpenSSL/_util.py", line 54, in
> exception_from_error_queue
> OpenSSL.SSL.Error: [('SSL routines', 'ssl3_read_bytes', 'sslv3 alert
> handshake failure')]
>
> However when i see in the wireshark i do the following ciphers set in the
> set client hello:
> TLS_EMPTY_RENEGOTIATION_INFO_SCS and
> 'ECDHE-ECDSA-AES128-GCM-SHA256.
>
> Im using TLS 1.2 not sure why its complaining about ssv3 protocol and using
> and the TLS_EMPTY_RENEGOTIATION_INFO_SCS.
>
> I'd appreciate if someone could help out on it.
>
> Thanks,
> Karan.
>
>
>
> On Mon, Jul 3, 2017 at 6:18 AM, Karan karan <karan7868 at gmail.com> wrote:
>
> > Hi,
> >
> > I'm trying to set a specific cipher in the ('ECDHE-ECDSA-AES128-GCM-
> SHA256')
> > the cipher list using the API: set_cipher_list but im getting the
> following
> > error :
> >
> > kjoshi at ubuntu64dev:~/openssl_playground$ python test_ex.py
> > -----------------------------------
> > connected ('192.168.152.132', 443)
> > Traceback (most recent call last):
> > File "test_ex.py", line 83, in <module>
> > main()
> > File "test_ex.py", line 65, in main
> > cont, initial_session, ssl_conn, tcp_conn = create_ssl_connection()
> > File "test_ex.py", line 25, in create_ssl_connection
> > cont.set_cipher_list('ECDHE+ECDSA+AES128+GCM+SHA256')
> > File "build/bdist.linux-x86_64/egg/OpenSSL/SSL.py", line 975, in
> > set_cipher_list
> > File "build/bdist.linux-x86_64/egg/OpenSSL/_util.py", line 67, in
> > openssl_assert
> > File "build/bdist.linux-x86_64/egg/OpenSSL/_util.py", line 54, in
> > exception_from_error_queue
> > OpenSSL.SSL.Error: [('SSL routines', 'SSL_CTX_set_cipher_list', 'no
> cipher
> > match')]
> >
> >
> > Below is the code that i have:
> >
> > cont = Context(TLSv1_2_METHOD)
> > #cont.set_cipher_list('0xc00e')
> > #cont.set_cipher_list('ECDHE+ECDSA+AESGCM+SHA256')
> > #cont.set_cipher_list('ECDHE-ECDSA-AES128-GCM-SHA256')
> > cont.set_cipher_list('ECDHE+ECDSA+AES128+GCM+SHA256')
> > client_ssl = Connection(cont, client)
> > client_ssl.set_connect_state()
> > client_ssl.do_handshake()
> > session_ref = client_ssl.get_session()
> >
> >
> > As seen above i tried numerous combination of word separators (_,-,+) but
> > nothing seemed to have helped.
> >
> > I would appreciate if someone could please let me know on the usage of
> > this.I'm sure there must be a way of sending a specific cipher.
> > I'm performing a test on my local apache server.
> >
> > Thanks,
> > Karan.
> >
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://mail.python.org/pipermail/cryptography-dev/
> attachments/20170703/c9b5c40a/attachment-0001.html>
>
> ------------------------------
>
> Message: 4
> Date: Mon, 3 Jul 2017 15:34:57 +0100
> From: Cory Benfield <cory at lukasa.co.uk>
> To: cryptography-dev at python.org
> Subject: Re: [Cryptography-dev] set_cipher_list() API Question
> Message-ID: <31B04AF2-8B9A-416C-BD0C-F7AD6527B1ED at lukasa.co.uk>
> Content-Type: text/plain; charset="utf-8"
>
> The ?sslv3? text is misleading: it simply relates to the way the OpenSSL
> internals are structured. Similarly, TLS_EMPTY_RENEGOTIATION_INFO_SCSV is
> a ?dummy? cipher suite used to signal to the server that renegotiation
> using RFC 5746 is supported: it?s not an actual cipher suite.
>
> This error is almost certainly due to the remote server not having an
> ECDSA certificate. When you say ECDHE-ECDSA-AES128-GCM-SHA256 you make it
> entirely impossible to interoperate with servers that use RSA certificates,
> which is probably not what you want to do. A more useful cipher suite
> string is "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256?,
> which includes both the ECDSA and RSA variants of this cipher suite.
>
> Cory
>
> > On 3 Jul 2017, at 15:11, Karan karan <karan7868 at gmail.com> wrote:
> >
> > I set : cont.set_cipher_list('ECDHE-ECDSA-AES128-GCM-SHA256')
> >
> > but i see the following error in the logs :
> >
> > connected ('**.**.**.**', 443)
> > Traceback (most recent call last):
> > File "test_ex.py", line 83, in <module>
> > main()
> > File "test_ex.py", line 65, in main
> > cont, initial_session, ssl_conn, tcp_conn = create_ssl_connection()
> > File "test_ex.py", line 33, in create_ssl_connection
> > client_ssl.do_handshake()
> > File "build/bdist.linux-x86_64/egg/OpenSSL/SSL.py", line 1638, in
> do_handshake
> > File "build/bdist.linux-x86_64/egg/OpenSSL/SSL.py", line 1378, in
> _raise_ssl_error
> > File "build/bdist.linux-x86_64/egg/OpenSSL/_util.py", line 54, in
> exception_from_error_queue
> > OpenSSL.SSL.Error: [('SSL routines', 'ssl3_read_bytes', 'sslv3 alert
> handshake failure')]
> >
> > However when i see in the wireshark i do the following ciphers set in
> the set client hello:
> > TLS_EMPTY_RENEGOTIATION_INFO_SCS and
> > 'ECDHE-ECDSA-AES128-GCM-SHA256.
> >
> > Im using TLS 1.2 not sure why its complaining about ssv3 protocol and
> using and the TLS_EMPTY_RENEGOTIATION_INFO_SCS.
> >
> > I'd appreciate if someone could help out on it.
> >
> > Thanks,
> > Karan.
> >
> >
> >
> > On Mon, Jul 3, 2017 at 6:18 AM, Karan karan <karan7868 at gmail.com
> <mailto:karan7868 at gmail.com>> wrote:
> > Hi,
> >
> > I'm trying to set a specific cipher in the ('ECDHE-ECDSA-AES128-GCM-SHA256')
> the cipher list using the API: set_cipher_list but im getting the following
> error :
> >
> > kjoshi at ubuntu64dev:~/openssl_playground$ python test_ex.py
> > -----------------------------------
> > connected ('192.168.152.132', 443)
> > Traceback (most recent call last):
> > File "test_ex.py", line 83, in <module>
> > main()
> > File "test_ex.py", line 65, in main
> > cont, initial_session, ssl_conn, tcp_conn = create_ssl_connection()
> > File "test_ex.py", line 25, in create_ssl_connection
> > cont.set_cipher_list('ECDHE+ECDSA+AES128+GCM+SHA256')
> > File "build/bdist.linux-x86_64/egg/OpenSSL/SSL.py", line 975, in
> set_cipher_list
> > File "build/bdist.linux-x86_64/egg/OpenSSL/_util.py", line 67, in
> openssl_assert
> > File "build/bdist.linux-x86_64/egg/OpenSSL/_util.py", line 54, in
> exception_from_error_queue
> > OpenSSL.SSL.Error: [('SSL routines', 'SSL_CTX_set_cipher_list', 'no
> cipher match')]
> >
> >
> > Below is the code that i have:
> >
> > cont = Context(TLSv1_2_METHOD)
> > #cont.set_cipher_list('0xc00e')
> > #cont.set_cipher_list('ECDHE+ECDSA+AESGCM+SHA256')
> > #cont.set_cipher_list('ECDHE-ECDSA-AES128-GCM-SHA256')
> > cont.set_cipher_list('ECDHE+ECDSA+AES128+GCM+SHA256')
> > client_ssl = Connection(cont, client)
> > client_ssl.set_connect_state()
> > client_ssl.do_handshake()
> > session_ref = client_ssl.get_session()
> >
> >
> > As seen above i tried numerous combination of word separators (_,-,+)
> but nothing seemed to have helped.
> >
> > I would appreciate if someone could please let me know on the usage of
> this.I'm sure there must be a way of sending a specific cipher.
> > I'm performing a test on my local apache server.
> >
> > Thanks,
> > Karan.
> >
> >
> > _______________________________________________
> > Cryptography-dev mailing list
> > Cryptography-dev at python.org
> > https://mail.python.org/mailman/listinfo/cryptography-dev
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://mail.python.org/pipermail/cryptography-dev/
> attachments/20170703/d372ca6f/attachment.html>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> Cryptography-dev mailing list
> Cryptography-dev at python.org
> https://mail.python.org/mailman/listinfo/cryptography-dev
>
>
> ------------------------------
>
> End of Cryptography-dev Digest, Vol 48, Issue 1
> ***********************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20170705/63ea8543/attachment-0001.html>
More information about the Cryptography-dev
mailing list