[gnutls-help] How to enable AES-256-CBC?

Nikos Mavrogiannopoulos nmav at gnutls.org
Fri Jan 10 09:42:51 CET 2020

On Fri, Jan 10, 2020 at 2:22 AM John Jiang <john.sha.jiang at gmail.com> wrote:
> On Thu, Jan 9, 2020 at 10:52 PM Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote:
>> On Wed, Jan 8, 2020 at 6:01 AM John Jiang <john.sha.jiang at gmail.com> wrote:
>> >
>> > Hi,
>> > I'm using GnuTLS 3.6.10.
>> > It looks this version disables AES-256-CBC.
>> > With my testing on gnutls-serv, if a client supports cipher suite TLS_RSA_WITH_AES_256_CBC_SHA256 only, the connecting just fails.
>> > But if the client uses TLS_RSA_WITH_AES_128_GCM_SHA256, the connection can be established.
>> > Could this cipher suite be enabled by priority string?
>> > I have tried "NORMAL:+RSA:+AES-256-CBC", but it didn't work.
>> Hi,
>>  AES-256-CBC is not disabled. SHA256 as HMAC is. You need to add
>> +SHA256 in a priority string.
> It works, thanks!
> BTW, could I get SSLv3.0 back?
> I tried "NORMAL:+VERS-SSL3.0:+RSA:+SHA256", but got protocol_version alert with TLS_RSA_WITH_AES_128_CBC_SHA and SSLv3.
> If used TLSv1.0 and the same cipher suite, my test passed.

It is disabled by default without any option to enable. You'll need to
recompile the library and enable ssl3 in the configure step.


More information about the Gnutls-help mailing list