I searched the archives and surprisingly (for me anyway) I didn't find
anything about this:
I'm writing an IMAP server, and STARTTLS is currently in my focus.
Firstly, my service runs under tcpserver (DjB), or inetd/xinetd. Is it
immediately impossible for my program to implement TLS over a link like
this?
The client, in my case Kmail, connects and runs the STARTTLS command. The
TLS negotiation that follows doesn't work.
Anyway, here's my error, using SSLv23:
SSL_CTX *ctx = SSL_CTX_new(SSLv23_method());
error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
using TLSv1:
SSL_CTX *ctx = SSL_CTX_new(TLSv1_method());
16689:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:290:
-----------------------------------------------------------------
This is what I'm doing:
SSL_load_error_strings();
SSL_library_init();
OpenSSL_add_ssl_algorithms();
SSL_CTX *ctx = SSL_CTX_new(SSLv23_method());
SSL_CTX_set_options(ctx, SSL_OP_ALL);
SSL_CTX_set_cipher_list(ctx,"!ADH:RC4+RSA:HIGH:MEDIUM:LOW:EXP:+SSLv2:+EXP");
SSL_CTX_set_timeout(ctx,0);
if (!SSL_CTX_use_certificate_file(ctx, certname.c_str(), SSL_FILETYPE_PEM))
ssl_error();
if (!SSL_CTX_use_PrivateKey_file(ctx, certname.c_str(), SSL_FILETYPE_PEM))
ssl_error();
if (!SSL_CTX_check_private_key(ctx))
ssl_error();
SSL_CTX_set_default_verify_paths(ctx);
SSL *ssl = SSL_new(ctx);
if (ssl == NULL)
ssl_error();
SSL_set_rfd(ssl, 0);
SSL_set_wfd(ssl, 1);
int result = SSL_accept(ssl); // returns -1
-----------------------------------------------------------------------
Can anyone explain to me what I'm (not) doing wrong here? :-)
Andy
--
Andreas Aardal Hanssen
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
