I've noticed recently that when my client tries to negotiated a TLS session its ciphers preference list is being ignored by the server.
$ openssl s_client -connect server_ip:443 -state -msg -cipher AES128-SHA
# filtered out ....
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES128-SHA
$ openssl s_client -connect server_ip:443 -state -msg -cipher DES-CBC-SHA
# filtered out ....
New, TLSv1/SSLv3, Cipher is DES-CBC-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DES-CBC-SHA
# openssl s_client -connect server_ip:443 -state -msg -cipher DES-CBC-SHA:AES128-SHA
# skiped ...
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES128-SHA
Session-ID:
Session-ID-ctx:
Master-Key: C7E7F65B4E927AFDE568E52FDAE52495CE815DAC2958B82C854146CD383FC00BB47ED691840C713CE762B6430FCB3230
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1389568347
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
# openssl s_client -connect server_ip:443 -state -msg -cipher AES128-SHA:DES-CBC-SHA
# skiped ...
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES128-SHA
Session-ID:
Session-ID-ctx:
Master-Key: 1F0FB31410AAFFC234DC5598FFA2A676C63119A6367453D05578F9B1652DD085DB1D5C016694B9D293F3A2DFF769EF51
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1389568389
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
We can see in (1) and (2) that the TLS servers supports 2 different ciphers suits.
In (3) and (4) we see that even though the preference list was directly specified by the client the TLS server ignored the settings in (3).
Example ssldump output from (3).
# ssldump -A -n -i eth0 port 443 and host my_server_ip
New TCP connection #1: 162.13.0.27(51869) <-> my_server_ip(443)
1 1 0.1013 (0.1013) C>SV3.1(61) Handshake
ClientHello
Version 3.2
random[32]=
52 d3 23 b5 62 f5 08 38 14 53 d9 ac a4 51 c2 28
0d e2 0e b6 41 89 2d af a1 50 55 bd a9 35 05 75
cipher suites
TLS_RSA_WITH_DES_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
Unknown value 0xff
compression methods
unknown value
NULL
1 2 0.1984 (0.0970) S>CV3.1(49) Handshake
ServerHello
Version 3.1
random[32]=
2b ae 63 1e 9c da f3 38 b6 f9 dd c6 c0 4f ad 6c
2c f0 f3 52 67 6e 28 29 8a 24 95 95 a5 67 f2 6f
session_id[0]=
cipherSuite TLS_RSA_WITH_AES_128_CBC_SHA
compressionMethod NULL
1 3 0.1984 (0.0000) S>CV3.1(674) Handshake
Certificate
certificate[664]=
50 82 02 94 50 82 01 fd 02 02 03 79 50 0d 06 09
2a 86 48 86 f7 0d 01 01 05 05 00 50 81 b6 31 0b
50 11 06 03 55 04 06 13 02 55 53 31 0e 50 0c 06
03 55 04 08 13 05 54 65 78 61 73 31 14 50 12 06
03 55 04 07 13 0b 53 61 6e 20 41 6e 74 6f 6e 69
6f 31 12 50 10 06 03 55 04 0a 13 11 52 61 63 6b
73 70 61 63 65 31 1e 50 1c 06 03 55 04 0b 13 15
53 79 73 74 65 6d 20 41 64 6d 69 6e 69 73 74 72
61 74 69 6f 6e 31 23 50 21 06 03 55 04 03 13 1a
...
b3 79 0a 37 cd 27 93 af
1 4 0.1984 (0.0000) S>CV3.1(4) Handshake
ServerHelloDone
1 5 0.2126 (0.0141) C>SV3.1(134) Handshake
ClientKeyExchange
EncryptedPreMasterSecret[128]=
33 25 53 17 c2 45 b0 32 8a ca c1 66 39 6e f0 31
98 96 4c 34 f2 e4 fd b7 0c e6 15 af c7 d3 fc e4
0d 15 c9 c9 d4 e0 78 5a a1 13 dc 55 8b 5a bc 69
68 24 f5 d1 50 6a 19 2e 71 9a 66 ee 3a 64 bc 1e
d8 9a da d4 e0 44 96 b3 43 20 f1 a0 b6 4c 49 8e
b2 ae 2b a6 12 68 78 19 eb 61 06 1c 34 8a 03 22
ab 7e ff f8 88 44 89 97 cd 53 06 b0 b6 66 7b 77
2a c0 0a 15 a3 54 2d 8c 5b 74 bc fe 31 3f 1f 8f
1 6 0.2126 (0.0000) C>SV3.1(1) ChangeCipherSpec
1 7 0.2126 (0.0000) C>SV3.1(48) Handshake
1 8 0.3100 (0.0974) S>CV3.1(1) ChangeCipherSpec
1 9 0.3100 (0.0000) S>CV3.1(48) Handshake
1 1.4782 (1.1681) C>S TCP FIN
1 1.5740 (0.0958) S>C TCP FIN
Problem
Can TLS server ignore the cipher suite list passed from the client during TLS handshaking?
Analysis
The specification how the
ClientHello message can be handled by the server during
TLS handshaking has changed from TLS v1.0 to v1.2. The extract from the RFC comparing both relevant sections.
7.4.1.2. Client hello
The CipherSuite list, passed from the client to the server in the
client hello message, contains the combinations of cryptographic
algorithms supported by the client in order of the client's
preference (favorite choice first). Each CipherSuite defines a key
exchange algorithm, a bulk encryption algorithm (including secret key
length) and a MAC algorithm.
The server will select a cipher suite or, if no acceptable choices
are presented, return a handshake failure alert and close the
connection.
7.4.1.2. Client Hello
The cipher suite list, passed from the client to the server in the
ClientHello message, contains the combinations of cryptographic
algorithms supported by the client in order of the client's
preference (favorite choice first). Each cipher suite defines a key
exchange algorithm, a bulk encryption algorithm (including secret key
length), a MAC algorithm, and a PRF. The server will select a cipher
suite or, if no acceptable choices are presented, return a handshake
failure alert and close the connection.
If the list contains cipher suites the server does not recognize,
support, or wish to use, the server MUST ignore those cipher suites,
and process the remaining ones as usual.
In the yellow parts we can see that a server implementing TLS v1.2 has the ability to ignore ciphers specified by the client in its list
ClientHello message. The criteria are very wide. The TLS server can ignore a cipher only because it doesn't wish to use it.
References
http://www.openssl.org/docs/apps/ciphers.html
DES and IDEA ciphers are deprecated in the latest TLS protocol
http://www.ietf.org/rfc/rfc2246.txt - The TLS Protocol, Version 1.0
http://tools.ietf.org/html/rfc5246.txt - The Transport Layer Security (TLS) Protocol, Version 1.2
http://support.f5.com/kb/en-us/solutions/public/10000/200/sol10209.html - ssldump
A definitely interesting reading about ciphers in the web browser to show some parasitical view at the cipher list topic.
https://groups.google.com/forum/#!topic/mozilla.dev.tech.crypto/36na1B2brGU