Restrict cipher suite selection using Openssl s_server

0
votes

I want to test my client against a test server, so I am using OpenSSL s_server command. The goal is to configure the server to select only 1 cipher suite which I configure. This way I can test different cipher suites sent by client. I cannot change the cipher suit list on the client side.

To start the server I use:

`{` openssl s_server -accept 50000 -cert ../server/server_certificate.pem -key ../server/private_key.pem -CAfile ca_certificate.pem  -cipher ECDHE-RSA-AES256-GCM-SHA384 -serverpref -state -debug -status_verbose }

To test whether the server selects the configured cipher suite, I start the client as

openssl s_client -connect 3.135.190.131:50000 -cert ../client/client_certificate1.pem -key ../client/private_key.pem -CAfile ca_certificate.pem

But when I start connect the client to the server, the server selects: TLS_AES_256_GCM_SHA384 instead of the configured: ECDHE-RSA-AES256-GCM-SHA384 Also, I checked the trace and the client does send the ECDHE-RSA-AES256-GCM-SHA384 in the cipher suite list.

Can you suggest what could be wrong on the server side command?

1
openssl

1 Answers

2
votes

Your server and client want to speak TLS 1.3 which has its own strict set of ciphersuites which does not include ECDHE-RSA-AES256-GCM-SHA384.

These can be changed with the -ciphersuites argument to s_server. The set of ciphersuites is in addition to the TLS 1.2 ciphers set by -ciphers. Per the [man page](https://www.openssl.org/docs/man1.1.1/man1/openssl-s_server.html:

-cipher val

This allows the list of TLSv1.2 and below ciphersuites used by the server to be modified. This list is combined with any TLSv1.3 ciphersuites that have been configured. When the client sends a list of supported ciphers the first client cipher also included in the server list is used. Because the client specifies the preference order, the order of the server cipherlist is irrelevant. See the ciphers command for more information.

-ciphersuites val

This allows the list of TLSv1.3 ciphersuites used by the server to be modified. This list is combined with any TLSv1.2 and below ciphersuites that have been configured. When the client sends a list of supported ciphers the first client cipher also included in the server list is used. Because the client specifies the preference order, the order of the server cipherlist is irrelevant. See the ciphers command for more information. The format for this list is a simple colon (":") separated list of TLSv1.3 ciphersuite names.

If we try completely removing the TLS 1.3 ciphersuites, leaving only the TLS 1.2 ciphers, here's what happens on the server side:

$ openssl s_server -accept 50000 -cert node.crt -key node.key -CAfile ca.crt  -cipher ECDHE-RSA-AES256-GCM-SHA384 -serverpref -state -debug -status_verbose -ciphersuites ""
Using default temp DH parameters
ACCEPT
write to 0x55c8894b0bd0 [0x55c8894c83f0] (7 bytes => 7 (0x7))
0000 - 15 03 03 00 02 02 28                              ......(
SSL3 alert write:fatal:handshake failure
SSL_accept:error in error
ERROR
139842681824576:error:141FC0B5:SSL routines:tls_setup_handshake:no ciphers available:../ssl/statem/statem_lib.c:127:No ciphers enabled for max supported SSL/TLS version
shutting down SSL
CONNECTION CLOSED

There are no valid TLS 1.3 ciphersuites enabled on the server, but both client and server support TLS 1.3. This results in a failed connection (no TLS downgrade).

Instead, you would need to force the max version to TLS 1.2 on one of the two parties. We can do this on the server (leaving -ciphersuites alone since it won't be used anymore):

$ openssl s_server -accept 50000 -cert node.crt -key node.key -CAfile ca.crt  -cipher ECDHE-RSA-AES256-GCM-SHA384 -serverpref -state -debug -status_verbose -no_tls1_3
...
CIPHER is ECDHE-RSA-AES256-GCM-SHA384
Secure Renegotiation IS supported

This is all covered in a lot more detail in the Ciphersuites section of wiki.openssl.org/TLS1.3