[gnutls-help] How to enable AES-256-CBC?
john.sha.jiang at gmail.com
Mon Jan 13 00:41:22 CET 2020
On Fri, Jan 10, 2020 at 4:43 PM Nikos Mavrogiannopoulos <nmav at gnutls.org>
> On Fri, Jan 10, 2020 at 2:22 AM John Jiang <john.sha.jiang at gmail.com>
> > On Thu, Jan 9, 2020 at 10:52 PM Nikos Mavrogiannopoulos <nmav at gnutls.org>
> >> On Wed, Jan 8, 2020 at 6:01 AM John Jiang <john.sha.jiang at gmail.com>
> >> >
> >> > Hi,
> >> > I'm using GnuTLS 3.6.10.
> >> > It looks this version disables AES-256-CBC.
> >> > With my testing on gnutls-serv, if a client supports cipher suite
> TLS_RSA_WITH_AES_256_CBC_SHA256 only, the connecting just fails.
> >> > But if the client uses TLS_RSA_WITH_AES_128_GCM_SHA256, the
> connection can be established.
> >> > Could this cipher suite be enabled by priority string?
> >> > I have tried "NORMAL:+RSA:+AES-256-CBC", but it didn't work.
> >> Hi,
> >> AES-256-CBC is not disabled. SHA256 as HMAC is. You need to add
> >> +SHA256 in a priority string.
> > It works, thanks!
> > BTW, could I get SSLv3.0 back?
> > I tried "NORMAL:+VERS-SSL3.0:+RSA:+SHA256", but got protocol_version
> alert with TLS_RSA_WITH_AES_128_CBC_SHA and SSLv3.
> > If used TLSv1.0 and the same cipher suite, my test passed.
> It is disabled by default without any option to enable. You'll need to
> recompile the library and enable ssl3 in the configure step.
I tried configure option "--enable-ssl3-support", and it worked.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Gnutls-help