AnsweredAssumed Answered

Cipher suites bound to SSL/TLS protocol versions

Question asked by J.S. on Oct 8, 2014
Latest reply on Oct 14, 2014 by Ivan Ristić

When a client and server agree a SSL/TLS protocol, should that restrict the cipher suites that can then be used? I ran openssl s_client -ssl3 -connect <IP>:443 and I got:


Protocol  : SSLv3

Cipher    : ECDHE-RSA-RC4-SHA


Shouldn't this be impossible? ECDHE-RSA-RC4-SHA didn't arrive until RFC4492, which says it's "applicable both to TLS Version 1.0 and to TLS Version 1.1" - after all, SSLv3 is not actively maintained. I can see how this works in theory if you think of the protocol as a wrapper for the cipher suite but in many places on the web EC cipher suites seem bound to TLS. (I guess my connection here is losing out on the protocol improvements, though, e.g. the MAC for this session would be the weaker SSLv3 version.)


On a wider point, SSL Labs doesn't present its cipher suite results in a per-protocol list. Is there a reason for that, beyond repetition? Many tools output such a list but I guess, in light of the above, a list broken down by protocol isn't really definitive, it depends on the client doing the testing. If you think of Apache, at least, it's working on a static SSLCipherSuite list. So there will only be a difference between protocol versions if the *client* offers a different list/order of cipher suites based on the protocol.


On that point, OpenSSL's behaviour seems inconsistent to me. openssl ciphers -v -ssl3 ALL, which is supposed to "only include SSL v3 ciphers" by using the -ssl3 switch, returns the same result as openssl ciphers -v ALL. But s_client's -ssl3 does show a difference. Running Wireshark alongside s_client -ssl3 (version 1.0.1i) showed 46 cipher suites offered (although 1 was TLS_EMPTY_RENEGOTIATION_INFO_SCSV to indicate secure reneg). Without -ssl3 (defaulting to TLS1.2) s_client offered 74 suites (again including TLS_EMPTY_RENEGOTIATION_INFO_SCSV, although I was expecting the TLS renegotiation_info extension instead but I guess it doesn't matter). Obviously both times ECDHE-RSA-RC4-SHA was included.


So while the idea of certain cipher suites being bound to certain SSL/TLS versions appears in many places, in practice it seems a bit blurred. Any clarification appreciated!