Hi,
Look my reply to "ADH ciphers with SSL_ALLOW_ADH - do they work?". I'm
new to openssl too so I might not be giving you the best solution there
is... I think you have to use anonymous Diffie-Hellman if you don't need
any authentication. This cipher suite seems to be disabled by default in
openssl. Unless there is a better way to do it, you have to recompile
the openssl library. There are two options:
1. Recompile with "no-rsa" (./Configure ... no-rsa). Removing rsa from
the library seems to put ADH back into the default cipher list.
2. Recompile with SSL_ALLOW_ADH (./Configure ... -DSSL_ALLOW_ADH). This
enables ADH but doesn't put it into the default cipher list. You then
have to set the cipher list to include the ADH ciphers.
I think you also need to define DH parameters on the server side and to
set the verify policy to SSL_VERIFY_NONE.
I hope this will help...
Vincent Levesque
David Azari wrote:
>
>
> To whomever may be able to give a a bit of advice,
>
> I'm having extreme difficulty setting up an SSL connection
> between client and server when neither specifies a certificate and key
> file. Actually, the problem seems to be specific to the server. If I
> tell the server to use a cert and key, via the
>
> SSL_CTX_use_certificate_file( ) and
> SSL_CTX_use_PrivateKey_file( )
> methods, the connection works fine. The two communicate using DES,
> which is what I'm (currently) after. However, if I comment out the
> above two calls, there is a handshake failure. Apparently, the client
> fails to read in the header of one of the ASN1 objects (this is a
> rather new topic to me, "abstract syntax notation" for communicating
> digital objects). Here are the errors I get, on the client side:
>
> 5862:error:0D06B078:asn1 encoding routines:ASN1_get_object:header too
> long:asn1_lib.c:139:
> 5862:error:0D09F006:asn1 encoding routines:d2i_X509:bad get asn1
> object call:x_x509.c:97:address=537084824 offset=0
> 5862:error:1407E00B:SSL routines:SSL2_SET_CERTIFICATE:X509
> lib:s2_clnt.c:891:
>
> So it's obviously not reading the x509 object correctly unless
> if I don't give a file to "derive it" from, or at least that's how I'm
> interpreting it. On the server side, I simply get a "handshake error"
> (SSL2_READ).
>
> Is there a simply way to tell OpenSSL not to worry about
> authentication at all? I don't want to use it, so there's no reason
> to specify a certificate and key file on either side. However, doing
> so causes my test apps to fail. Right now, I simply follow this
> pattern:
>
> <set up TCP/IP connection via bind, listen, accept>
> method = SSLv23_server_method();
>
> context = SSL_CTX_new (method);
> **SSL_CTX_use_certificate_file( context, certfile,
> SSL_FILETYPE_PEM);
> **SSL_CTX_use_PrivateKey_file( context, keyfile,
> SSL_FILETYPE_PEM);
> ssl_struct = SSL_new( context );
> SSL_set_fd( ssl_struct, sd_from_above_ops );
> if( SSL_accept( ssl_struct )
>
> ** These guys should be totally optional, but I fail if I omit them!!
>
> Is there something I'm missing, that would allow me to leave
> out the certificate and key files? Any advice or sample code would be
> greatly appreciated!
>
> David Azari
> [EMAIL PROTECTED]
>
>
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
