Use client cipher and certificate TLS_RSA_WITH_AES_256_CBC_SHA256
Update: . Many of my problems are simply due to the fact that you don't know how to send a client certificate. I posted these details here .
I am using Ruby to connect to an SSL server which only supports cipher . I also need to provide a client certificate. TLS_RSA_WITH_AES_256_CBC_SHA256
When I look at the available ciphers from OpenSSL::Cipher.ciphers
, it is not listed as an option. TLS_RSA_WITH_AES_256_CBC_SHA256
How can I add this cipher to the available ciphers?
Thank!
Here is my code:
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
http.cert = OpenSSL::X509::Certificate.new(File.read("my.cer"))
http.ca_file = 'their_root.cer'
http.ciphers = ['AES256-SHA256']
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
http.ssl_version = :SSLv23
request = Net::HTTP::Post.new(uri.request_uri)
request.body = my_xml
response = http.request(request)
The error I am getting:
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read finished A: sslv3 alert handshake failure
Checking the packets shows that the server exits with a "Handshake Error (40)" message, which appears to be an encryption problem.
I am not connecting from the command line, but here are the openssl s_client results:
$ openssl s_client -connect dir-staging.surescripts.net:443 -tls1 -servername dir-staging.surescripts.net
CONNECTED(00000003)
depth=2 /C=US/O=Surescripts LLC./OU=Surescripts Certification Authorities/CN=Surescripts Root Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
14089:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:/SourceCache/OpenSSL098/OpenSSL098-52.20.2/src/ssl/s3_pkt.c:1145:SSL alert number 40
14089:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-52.20.2/src/ssl/s3_pkt.c:566:
source to share
According to openssl , this is also called "AES256-SHA256". According to Ruby lang , AES256-SHA256 is considered insecure and therefore disabled. The link contains a "patch" to re-enable weak ciphers.
You can seek advice from a security professional about the risks associated with your organization.
(Edit) The error "self-signed certificate in certificate chain" should be taken care of .
source to share
When I go through the available ciphers from
OpenSSL::Cipher.ciphers
isTLS_RSA_WITH_AES_256_CBC_SHA256
not listed as an option.
The following OpenSSL command will list the corresponding ciphers:
$ openssl ciphers -v 'ALL:!RC4:!MD5:!aNULL' | grep AES256 | grep SHA256`.
Results:
DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256 DHE-DSS-AES256-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(256) Mac=SHA256 DH-RSA-AES256-SHA256 TLSv1.2 Kx=DH/RSA Au=DH Enc=AES(256) Mac=SHA256 DH-DSS-AES256-SHA256 TLSv1.2 Kx=DH/DSS Au=DH Enc=AES(256) Mac=SHA256 AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256
Based on Is it possible to enable TLS v1.2 in Ruby? If so, how? , you should try to change the following:
http.ssl_version = :SSLv23
To:
ctx = OpenSSL::SSL::SSLContext.new
ctx.ssl_version = :TLSv1_2
How can I add this cipher to the available ciphers?
Based on Edit to your own question:
$ openssl s_client -connect dir-staging.surescripts.net:443 -tls1 -servername dir-staging.surescripts.net 14089:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:/SourceCache/OpenSSL098/OpenSSL098-52.20.2/src/ssl/s3_pkt.c:1145:SSL alert number 40 14089:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-52.20.2/src/ssl/s3_pkt.c:566:
OpenSSL 0.9.8 does not support TLS 1.2. You must upgrade to OpenSSL 1.0.0 or higher. OpenSSL 1.0.2 is the latest and you are encouraged to use it.
source to share