Use Client Cert and TLS_RSA_WITH_AES_256_CBC_SHA256 cipher suite

Question

Update: Many of my problems just had to do with not knowing how to post the client certificate. I've placed those details over here.

I am using Ruby to connect to an SSL server that only supports the TLS_RSA_WITH_AES_256_CBC_SHA256 cipher. I also need to supply a client certificate.

When I look at the available ciphers from OpenSSL::Cipher.ciphers, TLS_RSA_WITH_AES_256_CBC_SHA256 is not listed as an option.

How can I add this cipher to the available ciphers?

Thanks!

Here is my code:

  http = Net::HTTP.new(uri.host, uri.port)
  http.use_ssl = true
  http.cert = OpenSSL::X509::Certificate.new(File.read("my.cer"))
  http.ca_file = 'their_root.cer'
  http.ciphers = ['AES256-SHA256']
  http.verify_mode = OpenSSL::SSL::VERIFY_PEER
  http.ssl_version = :SSLv23
  request = Net::HTTP::Post.new(uri.request_uri)
  request.body = my_xml
  response = http.request(request)

The error I receive:

OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read finished A: sslv3 alert handshake failure

Inspecting the packets shows the server terminates with the message "Handshake Failure (40)" which appears to be a cipher problem.

I am not connecting from the command line, but here are the results of openssl s_client:

$ openssl s_client -connect dir-staging.surescripts.net:443 -tls1 -servername dir-staging.surescripts.net
CONNECTED(00000003)
depth=2 /C=US/O=Surescripts LLC./OU=Surescripts Certification Authorities/CN=Surescripts Root Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
14089:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:/SourceCache/OpenSSL098/OpenSSL098-52.20.2/src/ssl/s3_pkt.c:1145:SSL alert number 40
14089:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-52.20.2/src/ssl/s3_pkt.c:566:

Answer 1

According to openssl, this is also called "AES256-SHA256". According to Ruby lang, AES256-SHA256 is considered insecure and therefor disabled. The link contains a "patch" to re-enable the insecure ciphers.

You may want to seek advise from a security pro about the risks involved for your organisation.

(Edit) The error "self signed certificate in certificate chain" needs to be taken care of.

Answer 2

When I look at the available ciphers from OpenSSL::Cipher.ciphers, TLS_RSA_WITH_AES_256_CBC_SHA256 is not listed as an option.

The following OpenSSL command will list the relevant ciphers for you:

$ openssl ciphers -v 'ALL:!RC4:!MD5:!aNULL' | grep AES256 | grep SHA256`.

The results are:

DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
DHE-DSS-AES256-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA256
DH-RSA-AES256-SHA256    TLSv1.2 Kx=DH/RSA   Au=DH   Enc=AES(256)  Mac=SHA256
DH-DSS-AES256-SHA256    TLSv1.2 Kx=DH/DSS   Au=DH   Enc=AES(256)  Mac=SHA256
AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256

Based on Is it possible to enable TLS v1.2 in Ruby? If so, how?, you should next try to change the following:

http.ssl_version = :SSLv23

To:

ctx = OpenSSL::SSL::SSLContext.new
ctx.ssl_version = :TLSv1_2

---

How can I add this cipher to the available ciphers?

Based on the Edit to your question:

$ openssl s_client -connect dir-staging.surescripts.net:443 -tls1 -servername dir-staging.surescripts.net

14089:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:/SourceCache/OpenSSL098/OpenSSL098-52.20.2/src/ssl/s3_pkt.c:1145:SSL alert number 40
14089:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-52.20.2/src/ssl/s3_pkt.c:566:

OpenSSL 0.9.8 does not support TLS 1.2. You should move to OpenSSL 1.0.0 or above. OpenSSL 1.0.2 is the latest, and you are encouraged to use it.