RE: strange problem of "no shared cipher" for no certificate TLSconnection

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

RE: strange problem of "no shared cipher" for no certificate TLSconnection

Roger Zhang
Hi, Marek,

I used SSL_CTX_set_cipher_list() to try all kinds of ADH plus aNULL, eNULL, NULL and ALL. The connection still could not be setup without server certificate. I found if I set server certificate and private key, the connection could be setup. If no server certificate, it must fail even  I used SSL_CTX_set_verify to set both server and client mode to SSL_VERIFY_NONE.
Is the ADH removed from TLSv1 permanently? But I used SSL_get_ciphers and could see ADH is in use. I can only guess that ADH is removed by default and could not be added again. But how can the openssl command could succeed without certificate? Confused and frustrated. :(

Roger

> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]]On Behalf Of Marek Marcola
> Sent: Saturday, April 15, 2006 12:06 AM
> To: [hidden email]
> Subject: Re: strange problem of "no shared cipher" for no
> certificate TLSconnection
>
>
> Hello.
> > I developed an application based on ACE_SSL which based on openssl.
> > I found I could not set up a TLS connection with no
> certificate verification.
> > That is I just want a TLS connection without certificate.
> Anonymous ciphers are disabled by default in OpenSSL
> (default: ALL:!ADH:+RC4:@STRENGTH).
> You should enable ADH on client _and_ on server side.
> These may be done with SSL_CTX_set_cipher_list().
>
> >  I used the same cipherlist and rand file with openssl command,
> > while openssl command could succeeded to setup a TLS connection,
> > but my application always failed with
> "SSL3_GET_CLIENT_HELLO:no shared cipher" error.
> >
> > successful openssl command
> > On server side
> >         openssl s_server -accept 25062 -nocert -cipher
> aNULL -rand /home/zhangl/openssl/test/ca.bak/newcerts/01.pem
> > On client side
> >         openssl s_client -connect gdcqd1:25062 -cipher
> aNULL -rand /home/zhangl/openssl/test/ca.bak/newcerts/01.pem
> >
> Removing aNULL on any side will break TLS handshake.
>
> Best regards,
> --
> Marek Marcola <[hidden email]>
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: strange problem of "no shared cipher" for no certificate TLSconnection

Marek.Marcola
Hello,

> I used SSL_CTX_set_cipher_list() to try all kinds of ADH plus aNULL, eNULL, NULL and ALL.
> The connection still could not be setup without server certificate.

On server side:
        - generate DH parameters file:
                # openssl dhparam 512 -out dhparm.pem
        - add code to initialize SSL_CTX structure:

static DH *load_dh_param(const char *dhfile)
{
        DH *ret=NULL;
        BIO *bio;

        if ((bio=BIO_new_file(dhfile,"r")) == NULL){
                goto err;
        }
        ret=PEM_read_bio_DHparams(bio,NULL,NULL,NULL);

err:
        if (bio != NULL){
                BIO_free(bio);
        }
        return(ret);
}
..
..
SSL_CTX *ctx;
DH *dh;
..
..
if((dh=load_dh_param("dhparam.pem")) == NULL){
        ERR_print_errors_fp(stderr);
        goto err;
}
SSL_CTX_set_tmp_dh(ctx,dh);
DH_free(dh);

if(!SSL_CTX_set_cipher_list(ctx,"ADH")) {
       ERR_print_errors_fp(stderr);
       goto err;
}
..
..

On client side:
        - add code to initialize SSL_CTX structure:

if(!SSL_CTX_set_cipher_list(ctx,"ADH")) {
       ERR_print_errors_fp(stderr);
       goto err;
}

Best regards,
--
Marek Marcola <[hidden email]>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]