[gnutls-help] How to enable AES-256-CBC?
John Jiang
john.sha.jiang at gmail.com
Mon Jan 13 00:41:22 CET 2020
Hi,
On Fri, Jan 10, 2020 at 4:43 PM Nikos Mavrogiannopoulos <nmav at gnutls.org>
wrote:
> On Fri, Jan 10, 2020 at 2:22 AM John Jiang <john.sha.jiang at gmail.com>
> wrote:
> >
> > On Thu, Jan 9, 2020 at 10:52 PM Nikos Mavrogiannopoulos <nmav at gnutls.org>
> wrote:
> >>
> >> On Wed, Jan 8, 2020 at 6:01 AM John Jiang <john.sha.jiang at gmail.com>
> wrote:
> >> >
> >> > Hi,
> >> > I'm using GnuTLS 3.6.10.
> >> > It looks this version disables AES-256-CBC.
> >> > With my testing on gnutls-serv, if a client supports cipher suite
> TLS_RSA_WITH_AES_256_CBC_SHA256 only, the connecting just fails.
> >> > But if the client uses TLS_RSA_WITH_AES_128_GCM_SHA256, the
> connection can be established.
> >> > Could this cipher suite be enabled by priority string?
> >> > I have tried "NORMAL:+RSA:+AES-256-CBC", but it didn't work.
> >>
> >> Hi,
> >> AES-256-CBC is not disabled. SHA256 as HMAC is. You need to add
> >> +SHA256 in a priority string.
> >
> > It works, thanks!
> >
> > BTW, could I get SSLv3.0 back?
> > I tried "NORMAL:+VERS-SSL3.0:+RSA:+SHA256", but got protocol_version
> alert with TLS_RSA_WITH_AES_128_CBC_SHA and SSLv3.
> > If used TLSv1.0 and the same cipher suite, my test passed.
>
> It is disabled by default without any option to enable. You'll need to
> recompile the library and enable ssl3 in the configure step.
>
I tried configure option "--enable-ssl3-support", and it worked.
Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-help/attachments/20200113/f05578ea/attachment.html>
More information about the Gnutls-help
mailing list