Hello,
I would recommend to actually load the server certificate in addition
to the key. Without certificate the key/certificate pair is not complete
and only anonymous ciphers would be valid. These are not enabled by
default so that no "shared cipher for which all necessary data are
available" can be found.
You should also look up ERR_get_error() in a loop as it is a stack
and may reveal more information about the error stack (even though
I would not think that it would have helped here.
Best regards,
Lutz
On Fri, Aug 18, 2006 at 02:04:39PM +0200, Florian G otter wrote:
> Hello !
>
> I have changed the order now - however, in my understanding, setting the
> ciphers is not required in any case.
> The behaviour is unfortunately still the same.
> Is there a way to debug the handshake further down ?
>
> Thanks
>
> Florian
>
> Krishna M Singh wrote:
>
> > Hi
> >
> > I don't remember the internals of the SSL_CTX and SSL structures but t
> > we need to create SSL object once all the initialization of SSL_CTX is
> > completed...
> > m_ssl=SSL_new(m_ctx);
> > should come after all the calls to add cipher etc. that sets something
> > in the context are done else the m_ssl willn't inherit those
> > properties (unless it uses the pCtx stored inside to access those.)...
> > Actually some stuff (like Cert/Key) is copied inside SSL and some
> > stuff is referred from SSL thru pCtx from its CTX. So if sth is copied
> > to SSL than such init must be done before creating the SSL object..
> >
> > HTH
> > -Krishna
> >
> > On 8/18/06, Florian G otter <[EMAIL PROTECTED]> wrote:
> > > Hello !
> > >
> > > Here is again the complete code as of now.
> > > The restricitions are removed so far.
> > >
> > > Output from Server:
> > > SSL PrivateKey opened successfully
> > > LOG; Now accepting connections on fd...connection accepted.
> > > LOG; Now accepting (ssl)...SSL Handshake (SSL_accept) failed - error
> > > code -1
> > > SSH Handshake error 1= SSL_ERROR_SSLErr during Handshake from SSL error
> > > queue: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared
> > > cipher
> > >
> > > Output from Client:
> > > bin/Linux_2.6.4# ./testConsumer
> > > SSL certificate opened successfully
> > > LOG; Trying to connect (fd)...connected.
> > > LOG; Trying to connect (ssl)...connecting SSL socket failed
> > >
> > > Many thanks !
> > >
> > > Florian
> > >
> > > --
> > >
> > > server.c
> > > ----------------------------------------------------
> > > #include <sys/types.h>
> > > #include <sys/socket.h>
> > > #include <netinet/in.h>
> > > #include <arpa/inet.h>
> > > #include <iostream.h>
> > > #include <stdio.h>
> > > #include <stdlib.h>
> > > #include <string.h>
> > > #include </usr/include/openssl/ssl.h>
> > > #include </usr/include/openssl/err.h>
> > > #include </usr/include/openssl/crypto.h>
> > > #include </usr/include/openssl/x509.h>
> > > #include </usr/include/openssl/pem.h>
> > >
> > > #include <unistd.h>
> > >
> > > #define certificate_file "/root/security/server.crt"
> > > #define key_file "/root/security/server.key"
> > > #define CA_FILE "/certs/1024scert.pem"
> > >
> > > int main()
> > > {
> > > int m_fd;
> > > SSL* m_ssl;
> > > SSL_CTX* m_ctx;
> > >
> > > SSL_library_init();
> > > SSL_load_error_strings();
> > >
> > > m_ctx=SSL_CTX_new(SSLv3_server_method());
> > > if(!m_ctx)
> > > {
> > > cout << "failed to create SSL context" << endl;
> > > }
> > > m_ssl=SSL_new(m_ctx);
> > > OpenSSL_add_all_algorithms();
> > >
> > > if(!m_ssl)
> > > {
> > > cout << "failed to create SSL structure" << endl;
> > > }
> > >
> > > if((SSL_use_PrivateKey_file(m_ssl,key_file,1))!=1)
> > > {
> > > cout << "SSL PrivateKey file error - did not open" << endl;
> > > }
> > > else
> > > {
> > > cout << "SSL PrivateKey opened successfully" << endl;
> > > }
> > >
> > > // Create socket.
> > > if ((m_fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1)
> > > {
> > > cout << "Failed to create socket." << endl;
> > > }
> > >
> > > // Assign a port adress to the socket.
> > > struct sockaddr_in local_addr;
> > > memset((char *) &local_addr, 0, sizeof(sockaddr_in)); // zero out
> > > local
> > > address
> > > local_addr.sin_family = AF_INET;
> > > local_addr.sin_addr.s_addr = inet_addr("10.1.18.65");
> > > local_addr.sin_port = 2000;
> > >
> > > if (bind(m_fd, (struct sockaddr *) &local_addr, sizeof(local_addr)) ==
> > >
> > > -1)
> > > {
> > > cout << "Failed to assign adress to socket." << endl;
> > > }
> > >
> > > // Start listening.
> > > if (listen(m_fd, 128) == -1)
> > > {
> > > cout << "Failed to listen to port." << endl;
> > > }
> > >
> > > struct sockaddr_in rem_add;
> > > socklen_t size(sizeof(sockaddr_in));
> > > memset((char *)&rem_add, 0, size);
> > >
> > > // Accept connections.
> > > cout << "LOG; Now accepting connections on fd...";
> > > if ((m_fd = accept(m_fd, (struct sockaddr *)&rem_add, &size)) == -1)
> > > {
> > > cout << "failed" << endl;
> > > }
> > > else
> > > {
> > > cout << "connection accepted."<< endl;
> > >
> > > if(SSL_set_fd(m_ssl, m_fd)!=1) //Mask initial FD as SSL socket -
> > > from
> > > here only use the ssl FD
> > > {
> > > cout << "Opening SSL connection FD failed" << endl;
> > > }
> > >
> > > cout << "LOG; Now accepting (ssl)...";
> > >
> > > // !!!
> > > int a(SSL_accept(m_ssl));
> > >
> > > if(a==1) // Wait for SSL Handshake from the other side
> > > {
> > > cout << "SSL Handshake successful" << endl;
> > > }
> > > else
> > > {
> > > cout << "SSL Handshake (SSL_accept) failed - error code " << a <<
> > > endl;
> > >
> > > int length(0);
> > > int errorCode = SSL_get_error(m_ssl, length);
> > > cout << "SSH Handshake error " << errorCode << "= ";
> > >
> > > switch (errorCode)
> > > {
> > > case SSL_ERROR_NONE: cout << "SSL_ERROR_NONE";
> > > break;
> > > case SSL_ERROR_ZERO_RETURN: cout << "SSL_ERROR_ZERO_RETURN";
> > > break;
> > > case SSL_ERROR_WANT_READ: cout << "SSL_ERROR_WANT_READ";
> > > break;
> > > case SSL_ERROR_WANT_WRITE: cout << "SSL_ERROR_WANT_WRITE";
> > > break;
> > > case SSL_ERROR_WANT_CONNECT: cout << "SSL_ERROR_WANT_CONNECT";
> > > break;
> > > case SSL_ERROR_WANT_ACCEPT: cout << "SSL_ERROR_WANT_ACCEPT";
> > > break;
> > > case SSL_ERROR_WANT_X509_LOOKUP: cout <<
> > > "SSL_ERROR_WANT_X509_LOOKUP";
> > > break;
> > > case SSL_ERROR_SYSCALL: cout << "SSL_ERROR_SYSCALL";
> > > break;
> > > case SSL_ERROR_SSL: cout << "SSL_ERROR_SSL";
> > > break;
> > > }
> > >
> > > unsigned long err(ERR_get_error());
> > > cout << "Err during Handshake from SSL error queue: " <<
> > > ERR_error_string(err, NULL) << endl;
> > > }
> > > }
> > > }
> > >
> > > ----------------------------------------------------
> > >
> > > client.c
> > > ----------------------------------------------------
> > > #include <sys/types.h>
> > > #include <sys/socket.h>
> > > #include <netinet/in.h>
> > > #include <arpa/inet.h>
> > > #include <iostream.h>
> > > #include <stdio.h>
> > > #include <stdlib.h>
> > > #include <string.h>
> > > #include </usr/include/openssl/ssl.h>
> > > #include </usr/include/openssl/err.h>
> > > #include </usr/include/openssl/crypto.h>
> > > #include </usr/include/openssl/x509.h>
> > > #include </usr/include/openssl/pem.h>
> > >
> > > #include <unistd.h>
> > >
> > > #define certificate_file "/root/security/server.crt"
> > > #define key_file "/root/security/server.key"
> > > #define CA_FILE "/certs/1024scert.pem"
> > >
> > >
> > > enum messageType_e
> > > {
> > > MESSAGE_TYPE_REQUEST,
> > > MESSAGE_TYPE_RETURN,
> > > MESSAGE_TYPE_RESPONSE,
> > > MESSAGE_TYPE_DATAGRAM
> > > };
> > >
> > > int main()
> > > {
> > > int m_fd;
> > > SSL* m_ssl;
> > > SSL_CTX* m_ctx;
> > > SSL_library_init(); //FG: Initialize the SSL Libs
> > > SSL_load_error_strings(); //FG: Load the error messages
> > >
> > >
> > >
> > > // Create socket.
> > > if ((m_fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1)
> > > {
> > > cout << "Failed to create non-secure socket." << endl;
> > > }
> > >
> > > struct sockaddr_in remote_addr;
> > >
> > > // SSL_CTX *ssl_ctx_server = SSL_CTX_new(SSLv23_server_method());
> > > m_ctx=SSL_CTX_new(SSLv3_client_method()); //FG: create a secure
> > > context
> > > if(!m_ctx)
> > > {
> > > cout << "failed to create SSL context" << endl;
> > > }
> > >
> > > m_ssl=SSL_new(m_ctx);
> > >
> > > if(!m_ssl)
> > > {
> > > cout << "failed to create SSL structure" << endl;
> > > }
> > > OpenSSL_add_all_algorithms();
> > > if((SSL_use_certificate_file(m_ssl,certificate_file,1))!=1) //FG:
> > > Define SSL certificate to use
> > > {
> > > cout << "SSL certificate file error - did not open" << endl;
> > > }
> > > else
> > > {
> > > cout << "SSL certificate opened successfully" << endl;
> > > }
> > >
> > >
> > >
> > > memset((char *) &remote_addr, 0, sizeof(sockaddr_in)); // zero out
> > > local address
> > > remote_addr.sin_family = AF_INET;
> > > //remote_addr.sin_addr.s_addr =
> > > m_context->getConfiguration().m_ipAddress;
> > > //remote_addr.sin_port =
> > > htons(m_context->getConfiguration().m_port);
> > >
> > > remote_addr.sin_addr.s_addr = inet_addr("10.1.18.65");
> > > remote_addr.sin_port = 2000;
> > >
> > > cout << "LOG; Trying to connect (fd)...";
> > >
> > > if (connect(m_fd, (struct sockaddr *)&remote_addr, sizeof
> > > remote_addr)
> > > == -1)
> > > {
> > >
> > > cout << "Failed to connect secure channel. Channel not open." << endl;
> > > }
> > > else
> > > {
> > > cout << "connected." << endl;
> > > }
> > >
> > > if(SSL_set_fd(m_ssl, m_fd)!=1) //Mask initial FD as SSL socket -
> > >
> > > from here only use the ssl FD
> > > {
> > > cout << "Opening SSL connection FD failed" << endl;
> > > }
> > >
> > > sleep(10);
> > >
> > > cout << "LOG; Trying to connect (ssl)...";
> > > if(SSL_connect(m_ssl)!=1) //Connect SSL socket
> > > {
> > > cout << "connecting SSL socket failed" << endl;
> > > }
> > > else
> > > {
> > > cout << "connected." << endl;
> > > }
> > >
> > > // FORK.
> > >
> > > int length(0);
> > >
> > > while (true)
> > > {
> > > // Extract message type.
> > > messageType_e messageType;
> > > if ((length = SSL_read(m_ssl, &messageType, sizeof(messageType_e))) <
> > > 0)
> > > {
> > > int errorCode = SSL_get_error(m_ssl, length);
> > > cout << "Channel State error " << errorCode << "=" << endl;
> > > switch (errorCode)
> > > {
> > > case SSL_ERROR_NONE: cout << "SSL_ERROR_NONE";
> > > break;
> > > case SSL_ERROR_ZERO_RETURN: cout << "SSL_ERROR_ZERO_RETURN";
> > > break;
> > > case SSL_ERROR_WANT_READ: cout << "SSL_ERROR_WANT_READ";
> > > break;
> > > case SSL_ERROR_WANT_WRITE: cout << "SSL_ERROR_WANT_WRITE";
> > > break;
> > > case SSL_ERROR_WANT_CONNECT: cout << "SSL_ERROR_WANT_CONNECT";
> > > break;
> > > case SSL_ERROR_WANT_ACCEPT: cout << "SSL_ERROR_WANT_ACCEPT";
> > > break;
> > > case SSL_ERROR_WANT_X509_LOOKUP: cout <<
> > > "SSL_ERROR_WANT_X509_LOOKUP";
> > > break;
> > > case SSL_ERROR_SYSCALL: cout << "SSL_ERROR_SYSCALL";
> > > break;
> > > case SSL_ERROR_SSL: cout << "SSL_ERROR_SSL";
> > > break;
> > > }
> > >
> > > unsigned long err(ERR_get_error());
> > > cout << "Err from SSL error queue: " << ERR_error_string(err, NULL)
> > >
> > > << endl;
> > > }
> > >
> > > }
> > > }
> > >
> > > ______________________________________________________________________
> > > OpenSSL Project http://www.openssl.org
> > > User Support Mailing List openssl-users@openssl.org
> > > Automated List Manager [EMAIL PROTECTED]
> > >
> > ______________________________________________________________________
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing List openssl-users@openssl.org
> > Automated List Manager [EMAIL PROTECTED]
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager [EMAIL PROTECTED]
--
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
