> From: owner-openssl-us...@openssl.org On Behalf Of Dan Arcari > Sent: Wednesday, 21 January, 2009 16:18
> I'm wondering if someone can help me with a "no shared cipher" error occurring when I attempt > SSL_accept? I'll try to explain what's being done as succinctly as possible: > 1. There are two classes, SocketListener and SocketClient. Each does > the following as part of SSL initialization (pseudocode here): > context = SSL_CTX_new(TLSv1_method()); > connection = SSL_new(context); > SSL_CTX_use_certificate_file(context, path_to_cert, SSL_FILETYPE_PEM); > SSL_CTX_use_PrivateKey_file(context, path_to_key, SSL_FILETYPE_PEM); > SSL_CTX_check_private_key(context); > SSL_set_cipher_list(connection, "ALL:eNULL"); Changes to context (cert&privkey) don't affect the already created connection, so client apparenlty won't use them. But by default openssl server doesn't request and client doesn't do authentication anyway. See below about server. > 2. The Listener calls all the Init stuff, calls SSL_set_fd(connection, fd), > does normal socket bind() and listen(), calls SSL_set_accept_state() > and then waits on accept(). You don't need the _set_fd and _set_accept_state, or indeed any 'connection' at all for the listen socket; no SSL processing is ever done on it. > 3. The Client calls all of this Init stuff, does it's normal TCP connect, > calls SSL_set_fd (connection, fd) and then calls SSL_set_connect_state() > and finally SSL_connect(). > 4. When the client connection comes in, accept returns, and inside the > listener object we create a new Client with the file descriptor returned from accept, > and then call SSL_set_accept_state(newclient->connection, newclient->fd), > and finally SSL_accept(newclient->connection). Is that newclient->connection a new SSL_new (context) or a reused one? If new, do you do _set_cipher_list on it? If reused from the above initialization, did you expect/want it to have privkey&cert set? I assume/hope you mean _set_fd (conn,fd) and _set_accept_state (conn) , since there is no two-argument form of _set_accept_state . > It's on the SSL_accept that I get the error. So I have two questions, > does this sound like an otherwise correct procedure for establishing > a basic SSL connection? and, what might be causing the shared cipher error? Except as noted above, this sounds reasonable. I assume you realize that ALL includes, and could possibly negotiate, some weak ciphers; but since you're explicitly adding eNULL you apparently don't care. It certainly should be able to negotiate SOMETHING. Can you try openssl s_client -tls1 -cipher ALL against your server, and/or your client against openssl s_server similar plus -cert -key ? ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
