Rachit Siamwalla wrote:
>
> Hi, i'm trying to set up an encrypted channel between client / server
> but without authentication or certificates. From searching through the
> mailing list archives, i've seen other people have done it successfully
> before.
>
> I tried working from the relatively simple demo/ssl/serv.cpp and
> demo/ssl/cli.cpp
>
> I tried commenting out the "optional" read certificate steps on the
> client side and the read certificate steps on the server side.
>
> However, i keep getting "no shared cipher" messages coming from the
> server. (the client gives handshake failure messages)
>
> I tried various techniques suggested from the archives, some which
> include compiling with no-rsa and using dh keys, and using the
> SSL_CTX_set_tmp_dh() functions, but have got no luck. I also tried
> poking around in the code, and set the CIPHER_DEBUG flag on to get more
> info, but also no luck.
>
> Other bits of information:
>
> - I use the SSL_get_cipher_list() call to check my ssl handle on what it
> supports and both client / server say: EDH-RSA-DES-CBC3-SHA.
> - I tried to do a SSL_CTX_check_private_key(), but it fails with no key.
> I believe this is the root of the problem. If i don't specify a
> certificate, it won't have a key. However, i thought that doing the
> set_tmp_dh() would solve that problem, but it doesn't.
>
> my code:
>
> cli.cpp is relatively unchanged except the certificate stuff has been
> chopped out.
> serv.cpp is has the following flow:
>
> SSL_load_error_strings();
> SSLeay_add_ssl_algorithms();
> meth = SSLv23_server_method();
> ctx = SSL_CTX_new(meth);
>
> // tried a bunch of things here, including
> dh = get_dh512(); // this function ripped from apps/s_server.c
> // also
> dh = DH_generate_parameters(512, DH_GENERATOR_5, NULL, NULL);
>
> // then:
> SSL_CTX_set_tmp_dh(ctx,dh);
> // also tried:
> SSL_CTX_ctrl(ctx, SSL_CTRL_SET_TMP_DH, SSL_OP_SINGLE_DH_USE, (char *)
> dh);
>
> xxx do socket stuff and get fd
>
> ssl = SSL_new(ctx);
> SSL_set_fd(ssl, fd);
> SSL_accept(ssl);
>
> Please help, i've been searching through the archives and trying various
> things for several hours now, and am getting quite frustrated. Thanx!
>
> BTW, *please* cc: me any response because I'm not on the list. Thanx
> again for reading this far! :)
>
Since anonymous (unauthenticated) ciphersuites are vulnerable to a man
in the middle attack they are disabled with the default cipher string.
You need to set a cipher string which has something like "ALL:@STRENGTH"
in it using SSL_CTX_set_cipher_list() on both client and server.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
