Question & Answer
Question
We have defined our cipher suites to AT-TLS as follows:
TTLSCipherParms cipher1~AT-TLS__Gold
{
V3CipherSuites4Char TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
V3CipherSuites4Char TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
V3CipherSuites4Char TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
V3CipherSuites4Char TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
V3CipherSuites TLS_RSA_WITH_AES_256_GCM_SHA384
V3CipherSuites TLS_RSA_WITH_AES_128_GCM_SHA256
V3CipherSuites TLS_RSA_WITH_AES_256_CBC_SHA256
V3CipherSuites TLS_RSA_WITH_AES_128_CBC_SHA256
V3CipherSuites TLS_RSA_WITH_AES_128_CBC_SHA
V3CipherSuites TLS_RSA_WITH_3DES_EDE_CBC_SHA
}
The client program specified this list of cipher suites, all elliptical except for one:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)
Since AT-TLS (the server side) specifies the elliptical cipher suites as preferred to the non-elliptical cipher suites, we expected the server side to accept an elliptical cipher suite in this case. Unexpectedly, however, it only accepts the non-elliptical cipher suite specified by the client.
Answer
On the AT-TLS (server), the V3CipherSuites4Char parameter was invalidly used to defined a cipher constant. The V3CipherSuites statement must be used to define either a single cipher constant, or a string of one or more 2-hexadecimal character ciphers. The V3CipherSuites4Char statement is used to define a string of one or more 4-hexadecimal character ciphers only.
Because AT-TLS invalidly used the V3CipherSuites4Char parameter to define cipher constants representing elliptical cipher suites, none of those elliptical cipher suite definitions took effect. As a result, the non-elliptical cipher suite offered the client was accepted.
Here is how the TTLSCipherParms statement on the AT-TLS server side needs to be coded to make sure that an elliptical cipher suite is chosen in this case:
TTLSCipherParms cipher1~AT-TLS__Gold
{
V3CipherSuites TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
V3CipherSuites TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
V3CipherSuites TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
V3CipherSuites TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
V3CipherSuites TLS_RSA_WITH_AES_256_GCM_SHA384
V3CipherSuites TLS_RSA_WITH_AES_128_GCM_SHA256
V3CipherSuites TLS_RSA_WITH_AES_256_CBC_SHA256
V3CipherSuites TLS_RSA_WITH_AES_128_CBC_SHA256
V3CipherSuites TLS_RSA_WITH_AES_128_CBC_SHA
V3CipherSuites TLS_RSA_WITH_3DES_EDE_CBC_SHA
}
Product Synonym
ZOSCS COMMSERVER
Was this topic helpful?
Document Information
Modified date:
07 March 2016
UID
dwa1247560