Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

openssl s_client no cipher match

Tags:

openssl

I get the following error when trying to set the cipher in openssl s_client:

# openssl s_client -connect 10.0.0.3:8443 -cipher TLS_AES_128_GCM_SHA256
Error with command: "-cipher TLS_AES_128_GCM_SHA256"
140230972122240:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:../ssl/ssl_lib.c:2549:

When I look up this error in Google, it says that the cipher is missing from the list reported by openssl ciphers. However, this is not the case:

# openssl ciphers | sed 's/:/\n/g' | grep TLS_AES_128_GCM_SHA256
TLS_AES_128_GCM_SHA256

This error is not a function of the server configuration, as it is printed even if I change the -connect IP address to something bogus. So evidently the problem is happening before s_client even attempts to connect to the server.

What does this error message mean, given that it seems unrelated to openssl ciphers?

like image 871
personal_cloud Avatar asked Jul 26 '19 01:07

personal_cloud

Video Answer

1 Answers

TLSv1.3 changed the way ciphersuites work quite significantly. As a result ciphersuites defined for TLSv1.2 and below do not work in TLSv1.3 and vice versa. For this reason OpenSSL handles them separately internally as well and they are configured in different ways - even though "on the wire" the list of TLSv1.2 and TLSv1.3 ciphersuites get merged. The openssl ciphers command reports the merged list of TLSv1.2 and TLSv1.3 ciphersuites.

TLS_AES_128_GCM_SHA256 is actually a TLSv1.3 ciphersuite:

$ openssl ciphers -v | grep TLS_AES_128_GCM_SHA256
TLS_AES_128_GCM_SHA256         TLSv1.3 Kx=any      Au=any   Enc=AESGCM(128) Mac=AEAD

Therefore you need to use a different command line option in s_client to use that ciphersuite:

$ openssl s_client -connect 10.0.0.3:8443 -ciphersuites TLS_AES_128_GCM_SHA256

Although actually the above command will send the combined list of default TLSv1.2 ciphersuites as well as the above TLSv1.3 ciphersuite. If you only want that one ciphersuite then you will additionally need to disable protocol versions below TLSv1.3:

$ openssl s_client -connect 10.0.0.3:8443 -ciphersuites TLS_AES_128_GCM_SHA256 -tls1_3

Note however that the ciphersuite you are interested in is in the default set of TLSv1.3 ciphersuites so if you don't set any other TLSv1.3 ciphersuite configuration it will get sent anyway.

like image 84
Matt Caswell Avatar answered Sep 22 '22 13:09

Matt Caswell
Sign in to Comment

Related questions

"Error adding attribute" encountered when creating certificate
"SSL23_GET_SERVER_HELLO:unknown protocol" Error Trying to Reach Outlook smtp Server
Openssl SSL_CTX_new(SSLv3_method()) returns NULL
How to use latest openssl library with pyOpenSSL?
Celery is refusing to deserialize content of my custom serialization throwing ContentDisallowed Exception
Undefined symbols for architecture x86_64 (clang)
Cannot locate symbol 'tcgetattr' referenced by "libcrypto.so"
OpenSSL C++ RSA sign is different from command line sign
OpenSSL on mutli-core machine
Why do I get Verify error:unable to get local issuer certificate when I run openssl ocsp?
How to install Siege with libssl?
Manage multiple RSA keys/certs in a PKCS#12 structure
Missing definitions in Headerfile dh.h (openssl 1.1.0f)
How to add SAN extension in certificate using Go
C++ openssl - Generate RSA Keypair and read
Python 3.5 with OpenSSL v > 1 MAC OSX Mojave
Traefik and self-signed SSL
How Does BouncyCastle Generate ECDH "Keys"?
How can I check if OpenSSL is support/use the Intel AES-NI?
Can a Java key store import a key pair generated by OpenSSL?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!