Re: client trust mgr configuration

Sun, 15 Jul 2001 04:05:15 -0700 

Bishr Tabbaa wrote:
> 
> JAVASERVER:
> + uses IAIK & Sun's implementation of SSL in Java
> + ciphersuite = "SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
> + mutual authentication disabled
> 
> CCLIENT:
> + uses OpenSSL implementation of SSL in C
> + ciphersuite = SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA
> + verify all peers [trust is blind!]
> 
> Here is the stdout trace on the client side:
> =
> before/connect initialization
> SSLv3 write client hello A
> SSLv3 read server hello A
> SSLv3 read server certificate A
> SSL alert write:fatal
> error in SSLv3 read server key exchange B
> 
> There is one difference between the C client and the Java client that
> correctly speaks to the server; the former is NOT configured with
> certificates, private-public key pairs, and CAs while the latter is.
> 
> QUESTION0:
> Is there a cipher suite for OpenSSL TLSv1 [SSLv3.1] that permits anonymous
> sessions?
> 
> QUESTION1:
> What must I do to configure the C client correctly?
> 
> QUESTION2:
> Is there a flag I can add to openssl\ms\ntdll.mak that will add debugging
> information so when I run the client in the VC++ debugger, I can step into
> the SSL library?  My 1st attempt at this returned 'no matching symbolic
> information found'.
> 

There was a bug in Sun's Java SSL/TLS DSS signature routines which I've
been told has been fixed some time ago. However that problem looks
*exactly* like that bug.

Which version of Suns software are you using and does it support RSA
cipher suites? 

If RSA+EDH cipher suites work but DSS+EDH do not then the bug may be
still present.

If you want anonymous DH ciphersuites then you have to explicitly enable
them: check out the 'ciphers' manual page.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to