Re: BIO_do_handshake() little help wanted

[Modem Man]

Dear Stephen and dear all, regarding Stephen's question below: On Sat, Apr 24, 2010, Modem Man wrote: Dear all, I'm fiddling since two days with BIO_do_handshake(), and always have no luck. I'm afraid, it's time to cry for help now. *Short description:* After BIO_do_handshake() always returns -1, I always get the message: /error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher/ from my error printing loop, which is: while( (code=ERR_get_error_line_data( &file, &line, &data, &flags ) ) != 0 ) { ERR_error_string_n( code, errX, sizeof(errX) ); syslog( LOG_ERROR, "!> %s", errX ); }; *Detailed description:* The code until the BIO_do_handshake() doing as follows: 1) building a BIO chain, consisting of an accept_socket BIO and a buffer BIO. 2) accept / pop as usually 3) BIO_gets / BIO_puts, all working fine in non-SSL mode please note: it is a FTP Server, completely written in OpenSSL BIO_xxxx and working fine since 2 weeks - until I try to add SSL to my BIO chain when we arrive here, it is the 1st command from the sftp client: 4) if seen "AUTH TLS" or "AUTH SSL", I do answering: "234 AUTH command ok; starting SSL connection.\r\n", this sets the client into SSL mode, too. Next, I do inserting a SSL BIO by the following sequence: (stripped error-check here, but can say, all functions returning ok so far) SSL_CTX * ctx; SSL * ssl; BIO * sslBIO, *bSock; ctx = SSL_CTX_new( SSLv23_method() ); SSL_CTX_set_options( ctx, (SSL_OP_NO_SSLv2 | SSL_OP_ALL) ); SSL_CTX_set_mode( ctx, SSL_MODE_AUTO_RETRY ); SSL_CTX_set_cipher_list( ctx, "ALL:DEFAULT:LOW" ); /* also not working: "ALL:!ADH:!LOW:!EXP:!MD5" */ SSL_CTX_set_default_verify_paths( ctx ); // CAFILE is ..../debug/servercert.pem // CAPATH is ...../debug path itself, there is also serverkey.pem SSL_CTX_load_verify_locations( ctx, CAFILE, CAPATH ) ); SSL_CTX_set_verify( ctx, SSL_VERIFY_PEER, verify_cert_callback_foo ); SSL_CTX_set_verify_depth( ctx, VERIFY_DEPTH + 1 ); sslBIO = BIO_new_ssl( ctx, 0 /*server*/ ); BIO_get_ssl(sslBIO, &ssl); SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY); bBuff = myContext->bio; /* this is the bio I'm already using: BUFFER+ACCEPT_SOCKET */ bSock = BIO_pop( bBuff ); /* get the raw socket-bio */ BIO_set_callback( sslBIO, BIO_debug_callback_foo ); /* reassemble the chain, now with SSL in the middle: */ myContext->bio = BIO_push( bBuff, BIO_push( sslBIO, bSock ) ); BIO_do_handshake( sslBIO ); !Bang! here I die .... Need to say: Windows XP pro SP3, Client is TotalCommander 7.02 with built in sftp via OpenSSL Any hint? Help? Suggestion? Any knowledge of Bug in Totalcommander? Any Idea of another cost-free sftp client, I can try? I would appreciate EVERYTHING that brings me a step further... Have you included OpenSSL_add_all_algorithms() and/or SSL_library_init()? Yes, I have. Just missed to write it down here, since it is already in main(). Sorry.     My_InitCryptoSeed();      ERR_load_BIO_strings();     ERR_load_crypto_strings();     SSL_library_init();     SSL_load_error_strings();     OpenSSL_add_all_algorithms(); How could I see, which ciphers the 'other side' is offending? May be, you can give me one more hint? I thought, it could it be a good idea to temporarily modify may server, so he immediately jumps into the "AUTH TLS" handler. So, next, I tested with command openssl s_client -connect localhost:21 and got: Loading 'screen' into random state - done CONNECTED(00000720) 5756:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:.\ssl\s23_clnt.c:658: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 210 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- This looks, is if my server _failed_ to load SSL_CTX_load_verify_locations( ctx, CAFILE, CAPATH ), right? I have:     #define CAFILE "d:\\proj.svn\\common\\openssl-1.0.0\\_MyCerts\\servercert.pem"     #define CAPATH "d:\\proj.svn\\common\\openssl-1.0.0\\_MyCerts" and there is almost everything *.pem stuff laying around. When using already compiled openssl.exe, the <openssl.cnf> file is loaded from     d:\proj.svn\common\openssl-1.0.0\ssl\openssl.cnf, so I modified there:     HOME = d:\proj.svn\common\openssl-1.0.0\_MyCerts     [ CA_default ]     dir = d:\proj.svn\common\openssl-1.0.0\_MyCerts        # Where everything is kept But I do not know, if my server.exe also loads from there... I also don't know, if my pem files are okay, since I'm pretty new in this SSL business. My serverkey.pem is: -----BEGIN RSA PRIVATE KEY-----    some base64 stuff -----END RSA PRIVATE KEY----- My servercert.pem is: -----BEGIN CERTIFICATE-----    some base64 stuff -----END CERTIFICATE----- ca_cert.pem is: -----BEGIN CERTIFICATE-----    some base64 stuff -----END CERTIFICATE----- The only file with such content: __________________________________ Certificate:     Data:         Version: 3 (0x2)         Serial Number: 2 (0x2)         Signature Algorithm: sha1WithRSAEncryption         Issuer: C=DE, ST=NS, L=Hannover, O=Ich AG, CN=Modem Man/emailAddress=modem-man .... __________________________________ is 02.pem in the _MyCerts dir and is referenced by index.txt as: V    200421174822Z        02    unknown    /C=DE/ST=NS/O=Ich AG/CN=192.168.0.192 So I completely ran out of ideas here.... with very best regards, Modem Man ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org