Hello, > I have an openSSL/Stunnel based client. and we are trying to connect > to a JSSE based server on TLS. > The ssldump simply say that "handshake_failure". and from successful > connection log of other JSSE based connection it appears they are > using different cipher. > > Does " Unknown value 0x39" cipher need special setup on either side? Value 0x39 means DHE-RSA-AES256-SHA. >From command "openssl ciphers -v | grep AES" we will get: DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1 AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1 DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1 AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
this means that DH will be used for key_echange and RSA will be used for certificate_verify (aes256 for encription, sha1 for mac). Error in this situation may come from verifiying ClientKeyExchange or CertificateVerify message (ChangeCipherSpec is VERY simple :-). Because all 3 messages are sent in one TCP segment (or one write()) we can not tell witch packet has "error". My proposition is to remove DH by setting (for testing) cipher to AES256-SHA. This will give more information from ssldump like RSA decrypted pre_master_secret value. You may change this with -cipher option in "openssl s_client" or using function SSL_CTX_set_cipher_list() if you writing your own application using OpenSSL. Best regards, -- Marek Marcola <[EMAIL PROTECTED]> ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
