kern/155160: [aesni] AES-NI breaks OpenSSL client calls

Hans Duedal hd at onlinecity.dk
Wed Mar 2 11:20:12 UTC 2011 

The following reply was made to PR kern/155160; it has been noted by GNATS.

From: Hans Duedal <hd at onlinecity.dk>
To: bug-followup at freebsd.org, hd at onlinecity.dk
Cc:  
Subject: Re: kern/155160: [aesni] AES-NI breaks OpenSSL client calls
Date: Wed, 2 Mar 2011 12:18:51 +0100

 --001636832066da7c7c049d7e1365
 Content-Type: text/plain; charset=ISO-8859-1
 
 Does not work:
 curl -v --ciphers AES256-SHA "https://twitter.com/"
 curl -v --ciphers AES256-SHA "https://encrypted.google.com/"
 
 Works:
 curl -v --ciphers AES128-SHA "https://twitter.com/"
 curl -v --ciphers AES128-SHA "https://encrypted.google.com/"
 curl -v --ciphers RC4-SHA "https://twitter.com/"
 curl -v --ciphers CAMELLIA128-SHA "https://oc.nimta.com/"
 curl -v --ciphers CAMELLIA256-SHA "https://oc.nimta.com/"
 
 The problem only affects the AES256 cipher and it's variants
 (DHE-RSA-AES256-SHA & DHE-DSS-AES256-SHA). But openssl s_client still works
 with it:
 openssl s_client -ssl3 -cipher AES256-SHA -state -CAfile
 /usr/local/share/certs/ca-root-nss.crt -connect twitter.com:443
 
 --001636832066da7c7c049d7e1365
 Content-Type: text/html; charset=ISO-8859-1
 Content-Transfer-Encoding: quoted-printable
 
 <div>Does not work:</div><div>curl -v --ciphers AES256-SHA &quot;<a href=3D=
 "https://twitter.com/">https://twitter.com/</a>&quot;</div><div>curl -v --c=
 iphers AES256-SHA &quot;<a href=3D"https://encrypted.google.com/">https://e=
 ncrypted.google.com/</a>&quot;</div>
 <div><br></div><div>Works:</div><div>curl -v --ciphers AES128-SHA &quot;<a =
 href=3D"https://twitter.com/">https://twitter.com/</a>&quot;</div><div>curl=
  -v --ciphers AES128-SHA &quot;<a href=3D"https://encrypted.google.com/">ht=
 tps://encrypted.google.com/</a>&quot;</div>
 <div>curl -v --ciphers RC4-SHA &quot;<a href=3D"https://twitter.com/">https=
 ://twitter.com/</a>&quot;</div><div>curl -v --ciphers CAMELLIA128-SHA &quot=
 ;<a href=3D"https://oc.nimta.com/">https://oc.nimta.com/</a>&quot;</div><di=
 v>
 curl -v --ciphers CAMELLIA256-SHA &quot;<a href=3D"https://oc.nimta.com/">h=
 ttps://oc.nimta.com/</a>&quot;</div><div><br></div><div>The problem only af=
 fects the AES256 cipher and it&#39;s variants (DHE-RSA-AES256-SHA &amp; DHE=
 -DSS-AES256-SHA). But openssl s_client still works with it:</div>
 <div>openssl s_client -ssl3 -cipher AES256-SHA -state -CAfile /usr/local/sh=
 are/certs/ca-root-nss.crt -connect <a href=3D"http://twitter.com:443">twitt=
 er.com:443</a></div>
 
 --001636832066da7c7c049d7e1365--

More information about the freebsd-bugs mailing list