Hi Bill,
> How is it supposed to work? My Web server is set up to be use the
"Server"
> mode of SSL (using SSL_set_accept_state and SSLv3_server_method()), and
it's
> trying to use anonymous SSL (DH, no certificates or private keys). The
> cipher suite to use is specifically set via:
>
> SSL_CTX_set_cipher_list (pctxSSLContext, "!DEFAULT:ADH-DES-CBC3-SHA");
I have had similar problems with different client/server combinations in the
past. You should try SSLv23_server_method() instead of
SSLv3_server_method(). All the other elements you mention seem perfectly
fine to me.
Why use SSLv23_server_method()? Because IE might try to send a SSLv2 message
header (2 bytes), followed by 3 bytes client info, listing that it supports
SSLv3 or even TLSv1 (I didn't check IE behaviour. I should use my sniffer to
verify my statement here...). SSLv3_server_method() chokes on such a
message.
Generally speaking I've found that a client, using SSLv23_client_method()
(or it's equivalent in another SSL package) does not interoperate with a
server using either SSLv3_server_method() or TLSv1_server_method(). Of
course, I might be doing something dumb, but that's what I've found to be
true in my realm (embedded 0.9.5a & 0.9.6). I didn't verify this 'general
thing' with IE, but what I hear from you, yours sounds very much like the
same thing.
....hm.... now I just wondered and started
openssl s_server -nocert -cipher ADH -accept 443 -state -WWW -debug
Then connected IE5.0 (international version) with the URL:
https://127.0.0.1/index.html
And I got this on s_server:
---
Using default temp DH parameters
ACCEPT
SSL_accept:before/accept initialization
read from 00A722D0 [00C89DC0] (11 bytes => 11 (0xB))
0000 - 80 43 01 03 01 00 2a 00-00 00 10 .C....*....
read from 00A722D0 [00C89DCB] (58 bytes => 58 (0x3A))
0000 - 8f 80 01 80 00 03 80 00-01 81 00 01 81 00 03 82 ................
0010 - 00 01 00 00 64 00 00 62-00 00 03 00 00 06 83 00 ....d..b........
0020 - 04 84 28 40 02 00 80 04-00 80 19 ea c0 96 af 59 ..(@...........Y
0030 - d5 ff e8 b7 df 23 36 61-2a d2 .....#6a*.
write to 00A722D0 [00C92DF0] (7 bytes => 7 (0x7))
0000 - 15 03 01 00 02 02 28 ......(
SSL3 alert write:fatal:handshake failure
SSL_accept:error in SSLv3 read client hello B
SSL_accept:error in SSLv3 read client hello B
344:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:
source\openssl\SSL\S3_SRVR.C:784:
ACCEPT
---
In other words:
1) You should switch to SSLv23_server_method() at least (to make your server
handle the sequence '80 43 01 03 01' hex). Try s_server with the additional
option 'ssl3' (using SSLv3_server_method() instead of
SSLv23_server_method()) and you'll see what I mean.
2) To make my IE5 version talk to a SSL server, the server apparently needs
to come with a certificate as it does not support any ADH cipher. I.e. IE5.0
does not support anonymous DH.
Please correct me if I'm wrong here. Never to old to learn a few more tricks
;-)
Groetjes/Greetinx,
Ger
----------------------------------------------------------------------------
--
Ger Hobbelt a.k.a. Insh_Allah mailto:[EMAIL PROTECTED]
----------------------------------------------------------------------------
--
Peter Pan can fly when he thinks his Happy Thought.
I want to fly too.
My Happy Thought is... one part Prozac and one part LSD...
Wow! Awesome, dude!
----- Original Message -----
From: "Bill Rebey" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, 01 March, 2001 19:57
Subject: MSIE Connectivity
> I have a Web server written around OpenSSL. My own OpenSSL-based client
> connects to my server just fine, and MSIE connects fine without SSL, but
> when I try to use SSL from the browser (by specifying https://localhost/
> <https://localhost/> as the URL Address), it won't negotiate a
connection.
>
> The browser will connect to the port, my server will accept the connection
> and set up the SSL session, and when my server attempts to read the
> browser's request, it hangs in SSL_read(), presumably because the browser
> never sends anything. The browser, meanwhile, is just "spinning its
globe"
> to indicate communication, but nothing ever happens. It looks to me like
> both my server and the browser are in a "read" state, so the thing is
> deadlocked.
>
> How is it supposed to work? My Web server is set up to be use the
"Server"
> mode of SSL (using SSL_set_accept_state and SSLv3_server_method()), and
it's
> trying to use anonymous SSL (DH, no certificates or private keys). The
> cipher suite to use is specifically set via:
>
> SSL_CTX_set_cipher_list (pctxSSLContext, "!DEFAULT:ADH-DES-CBC3-SHA");
>
> Is this wrong? How should my server be set up to let Browsers connect to
> it?
>
> Thanks for the help,
>
> Bill Rebey
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
