From owner-freebsd-bugs@FreeBSD.ORG Wed Mar 2 11:20:12 2011 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 685681065680 for ; Wed, 2 Mar 2011 11:20:12 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 3DAF48FC18 for ; Wed, 2 Mar 2011 11:20:12 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p22BKBE0052938 for ; Wed, 2 Mar 2011 11:20:11 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p22BKBal052937; Wed, 2 Mar 2011 11:20:11 GMT (envelope-from gnats) Date: Wed, 2 Mar 2011 11:20:11 GMT Message-Id: <201103021120.p22BKBal052937@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org From: Hans Duedal Cc: Subject: Re: kern/155160: [aesni] AES-NI breaks OpenSSL client calls X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Hans Duedal List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Mar 2011 11:20:12 -0000 The following reply was made to PR kern/155160; it has been noted by GNATS. From: Hans Duedal To: bug-followup@freebsd.org, hd@onlinecity.dk Cc: Subject: Re: kern/155160: [aesni] AES-NI breaks OpenSSL client calls Date: Wed, 2 Mar 2011 12:18:51 +0100 --001636832066da7c7c049d7e1365 Content-Type: text/plain; charset=ISO-8859-1 Does not work: curl -v --ciphers AES256-SHA "https://twitter.com/" curl -v --ciphers AES256-SHA "https://encrypted.google.com/" Works: curl -v --ciphers AES128-SHA "https://twitter.com/" curl -v --ciphers AES128-SHA "https://encrypted.google.com/" curl -v --ciphers RC4-SHA "https://twitter.com/" curl -v --ciphers CAMELLIA128-SHA "https://oc.nimta.com/" curl -v --ciphers CAMELLIA256-SHA "https://oc.nimta.com/" The problem only affects the AES256 cipher and it's variants (DHE-RSA-AES256-SHA & DHE-DSS-AES256-SHA). But openssl s_client still works with it: openssl s_client -ssl3 -cipher AES256-SHA -state -CAfile /usr/local/share/certs/ca-root-nss.crt -connect twitter.com:443 --001636832066da7c7c049d7e1365 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
Does not work:
curl -v --ciphers AES256-SHA "https://twitter.com/"
curl -v --c= iphers AES256-SHA "https://e= ncrypted.google.com/"

Works:
curl -v --ciphers AES128-SHA "https://twitter.com/"
curl= -v --ciphers AES128-SHA "ht= tps://encrypted.google.com/"
curl -v --ciphers RC4-SHA "https= ://twitter.com/"
curl -v --ciphers CAMELLIA128-SHA "= ;https://oc.nimta.com/"
curl -v --ciphers CAMELLIA256-SHA "h= ttps://oc.nimta.com/"

The problem only af= fects the AES256 cipher and it's variants (DHE-RSA-AES256-SHA & DHE= -DSS-AES256-SHA). But openssl s_client still works with it:
openssl s_client -ssl3 -cipher AES256-SHA -state -CAfile /usr/local/sh= are/certs/ca-root-nss.crt -connect twitt= er.com:443
--001636832066da7c7c049d7e1365--