Last active
March 3, 2016 05:02
-
-
Save azet/1276944274f8cd5ac5cc to your computer and use it in GitHub Desktop.
OpenSSL 1.0.1s finally removes all mention of EXPORT ciphersuites
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
azet@orpheus ~/test/openssl-1.0.1r/apps % ./openssl ciphers 'ALL' -V | grep EXP | |
WARNING: can't open config file: /usr/local/ssl/openssl.cnf | |
0x00,0x14 - EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export | |
0x00,0x11 - EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export | |
0x00,0x19 - EXP-ADH-DES-CBC-SHA SSLv3 Kx=DH(512) Au=None Enc=DES(40) Mac=SHA1 export | |
0x00,0x08 - EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export | |
0x00,0x06 - EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export | |
0x04,0x00,0x80 - EXP-RC2-CBC-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export | |
0x00,0x17 - EXP-ADH-RC4-MD5 SSLv3 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5 export | |
0x00,0x03 - EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export | |
0x02,0x00,0x80 - EXP-RC4-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export | |
azet@orpheus ~/test/openssl-1.0.1r/apps % cd ../../openssl-1.0.1s/apps | |
azet@orpheus ~/test/openssl-1.0.1s/apps % ./openssl ciphers 'ALL' -V | grep EXP | |
WARNING: can't open config file: /usr/local/ssl/openssl.cnf | |
1 azet@orpheus ~/test/openssl-1.0.1s/apps % |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
It used to be possible in earlier OpenSSL 1.0.1-branch releases to negotiate working TLS 1.2-only connections with EXPORT cipher-suites between OpenSSL servers and clients. This behavior is explicitly prohibited in RFC4346 (TLS 1.1) and TLS protocol versions beyond. As such RFC4346 states in Appendix A.5. (pp. 61-62):