secure channel with ADH w/o authentication or certs.

Fri, 31 Mar 2000 12:08:00 -0800 

I was looking through the openssl-users archive and found that someone succeeded in 
something 
I'm trying to do - create a secure channel with no certs or authentication.  Only 
thing is, I can't get it 
to work.  I see that it works between s_server (with nocert option) and s_client.
I'm using openssl v0.9.4.

The SSL calls are as follows:

SSLeay_add_ssl_algorithms();
SSL_load_error_strings();

method = SSLv3_server_method();
ctx = SSL_CTX_new(method);
dh = PEM_read_bio_DHparams(bio,NULL,NULL,NULL);
SSL_CTX_set_tmp_dh(ctx,dh);
DH_free(dh);
SSL_CTX_set_cipher_list(ctx,"ADH-DES-CBC-SHA");
ssl=SSL_new(ctx);
SSL_set_fd(ssl, sock);
SSL_accept(ssl);

Currently, this fails with the following error:
SSL_accept: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher

I'm using 
The client (openssl s_client -cipher ADH-DES-CBC-SHA -ssl3) has the following output:
10662:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake 
failure:s3_pkt.c:774:SSL alert number 40
10662:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:448:

Can you tell me what I'm missing or doing wrong?
I haven't been able to find Bodo Moeller's example code in other DH threads.

Thanks,
John.


--------------------------------------------------------------------------------------------------------------------------------------
List:     openssl-users
Subject:  Re: Setting up anonymous Diffie-Hellman session
From:     [EMAIL PROTECTED] (Bodo Moeller)
Date:     1999-08-12 22:24:02
[Download message RAW]

David Azari <[EMAIL PROTECTED]>:

>       I'm still having difficulty establishing an encrypted channel
> without attempting to do any authentication.  I see now that my objective is
> to set up an anonymous Diffie Hellman session,  [...]

> SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:714

>       I assume that there must be a step that I am missing.  At present, I
> do the following on the server side:
>       
>       {socket bind, listen}
>       meth = SSLv3_server_method();
>       context = SSL_CTX_new (method);
>       { socket accept }
>       ssl_struct= SSL_new( context );
>       SSL_set_fd( ssl_struct, socket descriptor from above );
>       SSL_accept(ssl_struct )

You have to provide DH parameters by using SSL_CTX_set_tmp_dh before
the SSL_new or by using SSL_set_tmp_dh after the SSL_new.
Look at, e.g., the mod_ssl source code, or at the example
code that I sent in some other DH thread.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to