Re: openSSL client has problem to connect with JSSE based server on TLS?
> I have an openSSL/Stunnel based client. and we are trying to connect
> to a JSSE based server on TLS.
> The ssldump simply say that "handshake_failure". and from successful
> connection log of other JSSE based connection it appears they are
> using different cipher.
> Does " Unknown value 0x39" cipher need special setup on either side?
Value 0x39 means DHE-RSA-AES256-SHA.
>From command "openssl ciphers -v | grep AES" we will get:
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
this means that DH will be used for key_echange and RSA will be used
for certificate_verify (aes256 for encription, sha1 for mac).
Error in this situation may come from verifiying ClientKeyExchange or
CertificateVerify message (ChangeCipherSpec is VERY simple :-).
Because all 3 messages are sent in one TCP segment
(or one write()) we can not tell witch packet has "error".
My proposition is to remove DH by setting (for testing) cipher
to AES256-SHA. This will give more information from ssldump
like RSA decrypted pre_master_secret value.
You may change this with -cipher option in "openssl s_client"
or using function SSL_CTX_set_cipher_list() if you writing
your own application using OpenSSL.