On Fri, Mar 16, 2001 at 08:22:13PM +0000, Daniel Leddy wrote:
> When I try running openssl s_server -nocert
> and connecting a client to it this is what I get:
>
> 1.
> C:\SSL>openssl s_server -nocert
> Loading 'screen' into random state - done
> Using default temp DH parameters
> ACCEPT
>
> 2.
> C:\SSL>openssl s_client
> Loading 'screen' into random state - done
> CONNECTED(00000084)
> 4294831691:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
> handsh
> ake failure:./ssl/s23_clnt.c:453:
>
> 3. Back on the server side
> bad gethostbyaddr
> ERROR
> 4294688291:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared
> cipher:./
> ssl/s3_srvr.c:769:
> shutting down SSL
> CONNECTION CLOSED
> ACCEPT
The server _must_ present a certificate. For RSA ciphers a RSA cert must
be available, for DSA ciphers a DSA certificate must be available.
Since you do not give the server a certificate it does not support any
cipher, so the "no shared cipher" error must occur.
There are ciphers without certificate (anonymous with DH parameters: ADH),
but these are not secure against man-in-the-middle attacks and are therefore
disabled by default. You must explicitly allow them on s_client and s_server
with the -cipher option, see "man ciphers" for more details.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
