kern/155160: [aesni] AES-NI breaks OpenSSL client calls
Hans Duedal
hd at onlinecity.dk
Wed Mar 2 11:20:12 UTC 2011
The following reply was made to PR kern/155160; it has been noted by GNATS.
From: Hans Duedal <hd at onlinecity.dk>
To: bug-followup at freebsd.org, hd at onlinecity.dk
Cc:
Subject: Re: kern/155160: [aesni] AES-NI breaks OpenSSL client calls
Date: Wed, 2 Mar 2011 12:18:51 +0100
--001636832066da7c7c049d7e1365
Content-Type: text/plain; charset=ISO-8859-1
Does not work:
curl -v --ciphers AES256-SHA "https://twitter.com/"
curl -v --ciphers AES256-SHA "https://encrypted.google.com/"
Works:
curl -v --ciphers AES128-SHA "https://twitter.com/"
curl -v --ciphers AES128-SHA "https://encrypted.google.com/"
curl -v --ciphers RC4-SHA "https://twitter.com/"
curl -v --ciphers CAMELLIA128-SHA "https://oc.nimta.com/"
curl -v --ciphers CAMELLIA256-SHA "https://oc.nimta.com/"
The problem only affects the AES256 cipher and it's variants
(DHE-RSA-AES256-SHA & DHE-DSS-AES256-SHA). But openssl s_client still works
with it:
openssl s_client -ssl3 -cipher AES256-SHA -state -CAfile
/usr/local/share/certs/ca-root-nss.crt -connect twitter.com:443
--001636832066da7c7c049d7e1365
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<div>Does not work:</div><div>curl -v --ciphers AES256-SHA "<a href=3D=
"https://twitter.com/">https://twitter.com/</a>"</div><div>curl -v --c=
iphers AES256-SHA "<a href=3D"https://encrypted.google.com/">https://e=
ncrypted.google.com/</a>"</div>
<div><br></div><div>Works:</div><div>curl -v --ciphers AES128-SHA "<a =
href=3D"https://twitter.com/">https://twitter.com/</a>"</div><div>curl=
-v --ciphers AES128-SHA "<a href=3D"https://encrypted.google.com/">ht=
tps://encrypted.google.com/</a>"</div>
<div>curl -v --ciphers RC4-SHA "<a href=3D"https://twitter.com/">https=
://twitter.com/</a>"</div><div>curl -v --ciphers CAMELLIA128-SHA "=
;<a href=3D"https://oc.nimta.com/">https://oc.nimta.com/</a>"</div><di=
v>
curl -v --ciphers CAMELLIA256-SHA "<a href=3D"https://oc.nimta.com/">h=
ttps://oc.nimta.com/</a>"</div><div><br></div><div>The problem only af=
fects the AES256 cipher and it's variants (DHE-RSA-AES256-SHA & DHE=
-DSS-AES256-SHA). But openssl s_client still works with it:</div>
<div>openssl s_client -ssl3 -cipher AES256-SHA -state -CAfile /usr/local/sh=
are/certs/ca-root-nss.crt -connect <a href=3D"http://twitter.com:443">twitt=
er.com:443</a></div>
--001636832066da7c7c049d7e1365--
More information about the freebsd-bugs
mailing list