> From: owner-openssl-us...@openssl.org On Behalf Of pradeepreddy > Sent: Thursday, 12 May, 2011 18:37
> I have tried with all the ciphers. This same application works well on > windows. > > I run my application again with s_server, but hit with the same error: > SSL_ERROR_SSL > error:140D308A:SSL routines:TLS1_SETUP_KEY_BLOCK:cipher or > hash unavailable > > And on s_server [with -msg -debug], folwing messages are : > > client hello > server hello > SSL_accept:SSLv3 write certificate A > >>> TLS 1.0 Handshake [length 0004], ServerHelloDone > 0e 00 00 00 > SSL_accept:SSLv3 write server done A > SSL_accept:SSLv3 flush data > SSL_accept:failed in SSLv3 read client certificate A > ERROR > shutting down SSL > CONNECTION CLOSED > SSL_accept:failed in SSLv3 read client certificate A Both -msg and -debug should have given you (redundant) hex dumps of all messages; did you delete them? But only -state, which you didn't say you used, should give lines like 'SSL_accept:SSLv3 write server done A' . If there is no ServerKeyExchange (you didn't just delete it) then the selected suite probably uses RSA key agreement. But that doesn't help much; there are kRSA suites with all or nearly all data-ciphers and several hashes. You can decode the dump of client-hello to determine what list of suites (and compressions) the client is offering, and of server-hello to determine what the server selected. If you can install wireshark from www.wireshark.org on a personal Windows machine that sees the same network link, that can do the decode for you automatically. There may be equivalent tools for Unix, but I don't know. > This mean, client and server are agreed on cipher. In what > cases client > verifies the TLS1_SETUP_KEY_BLOCK? which drove client to > throw this error? > It's not a matter of verifying. The client is trying to *do* setup for the selected suite, and also compression, and failing. "Key" setup is a slightly misleading name; it's actually setting several internal pointers as well as the actual keys, and this first step -- determining pointers effectively to code for the selected cipher, hash, and compression -- is what is failing. Most likely the client has offered a suite or compression it doesn't actually support, which it shouldn't, or some of OpenSSL's memory has been clobbered by a bug in your client. Look at the selected suite in server-hello, and compare to the build options for the build(s) you are using. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
