Hi, i'm trying to set up an encrypted channel between client / server
but without authentication or certificates. From searching through the
mailing list archives, i've seen other people have done it successfully
before.
I tried working from the relatively simple demo/ssl/serv.cpp and
demo/ssl/cli.cpp
I tried commenting out the "optional" read certificate steps on the
client side and the read certificate steps on the server side.
However, i keep getting "no shared cipher" messages coming from the
server. (the client gives handshake failure messages)
I tried various techniques suggested from the archives, some which
include compiling with no-rsa and using dh keys, and using the
SSL_CTX_set_tmp_dh() functions, but have got no luck. I also tried
poking around in the code, and set the CIPHER_DEBUG flag on to get more
info, but also no luck.
Other bits of information:
- I use the SSL_get_cipher_list() call to check my ssl handle on what it
supports and both client / server say: EDH-RSA-DES-CBC3-SHA.
- I tried to do a SSL_CTX_check_private_key(), but it fails with no key.
I believe this is the root of the problem. If i don't specify a
certificate, it won't have a key. However, i thought that doing the
set_tmp_dh() would solve that problem, but it doesn't.
my code:
cli.cpp is relatively unchanged except the certificate stuff has been
chopped out.
serv.cpp is has the following flow:
SSL_load_error_strings();
SSLeay_add_ssl_algorithms();
meth = SSLv23_server_method();
ctx = SSL_CTX_new(meth);
// tried a bunch of things here, including
dh = get_dh512(); // this function ripped from apps/s_server.c
// also
dh = DH_generate_parameters(512, DH_GENERATOR_5, NULL, NULL);
// then:
SSL_CTX_set_tmp_dh(ctx,dh);
// also tried:
SSL_CTX_ctrl(ctx, SSL_CTRL_SET_TMP_DH, SSL_OP_SINGLE_DH_USE, (char *)
dh);
xxx do socket stuff and get fd
ssl = SSL_new(ctx);
SSL_set_fd(ssl, fd);
SSL_accept(ssl);
Please help, i've been searching through the archives and trying various
things for several hours now, and am getting quite frustrated. Thanx!
BTW, *please* cc: me any response because I'm not on the list. Thanx
again for reading this far! :)
-rchit
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
