Hi!
Thanks!
I am using 1.0.2b3 on both server and client, and I have the call to
SSL_CTX_set_ecdh_auto, but still no luck.
The exact code is as follows:
358 void initialize(TLSSettings const& settings) {
359 ctx_ = SSL_CTX_new(TLSv1_2_server_method());
360 if (!ctx_) {
361 throw std::runtime_error(OpenSSLSup::currentError());
362 }
363
364 static const unsigned char context[] = "WVPN-TLS";
365
366 if (!SSL_CTX_set_session_id_context(ctx_, context,
sizeof(context))) {
367 debug.LogE(Debug::System, "Failed to set session ID
context, session resume will fail");
368 }
369
370 auto serverCert =
OpenSSLSup::loadPKCS12(settings.certificate(),
settings.certPassword());
371
372 debug.Log(Debug::System, "Server certificate '%s' (%s)",
373 OpenSSLSup::commonName(serverCert.cert.get()).c_str(),
374 settings.certificate().c_str());
375
376 SSL_CTX_set_info_callback(ctx_, ssl_info_cb);
377
378 if (!SSL_CTX_use_certificate(ctx_, serverCert.cert.get())) {
379 debug.LogE(Debug::System, "Failed to set server
certificate: %s",
380 OpenSSLSup::currentError().c_str());
381 throw std::runtime_error("Failed to create context");
382 }
383
384 if (!SSL_CTX_use_PrivateKey(ctx_, serverCert.privateKey.get())) {
385 debug.LogE(Debug::System, "Failed to set server
private key: %s",
386 OpenSSLSup::currentError().c_str());
387 throw std::runtime_error("Failed to create context");
388 }
389
390 auto vfy = SSL_VERIFY_CLIENT_ONCE | SSL_VERIFY_PEER;
391 if(settings.requireClientCert()) {
392 vfy |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
393 }
394
395 SSL_CTX_set_verify(ctx_, vfy, nullptr);
396 SSL_CTX_set_ecdh_auto(ctx_, 1);
397
398 std::string ciphers;
399
400 ciphers = "SUITEB128";
401
402 if (!ciphers.empty()) {
403 if (SSL_CTX_set_cipher_list(ctx_, ciphers.c_str())) {
404 debug.Log(Debug::System, "Successfully set ciphers
%s", ciphers.c_str());
405 }
406 else {
407 debug.LogE(Debug::System, "Failed to set ciphers %s, %s",
408 ciphers.c_str(),
409 OpenSSLSup::currentError().c_str());
410 throw std::runtime_error("Failed to create context");
411 }
412 }
413
414 SSL_CTX_set_options(ctx_, SSL_OP_NO_TICKET);
415 SSL_CTX_set_session_cache_mode(ctx_, SSL_SESS_CACHE_BOTH);
416 SSL_CTX_sess_set_remove_cb(ctx_, ssl_remove_session_cb);
417 CertStore::setStoreInCTX(ctx_);
418 }
Warm regards,
Fredrik
On Fri, Nov 14, 2014 at 3:36 PM, Dr. Stephen Henson <st...@openssl.org> wrote:
> On Fri, Nov 14, 2014, Fredrik Jansson wrote:
>
>> Hi!
>>
>> I am trying to force my TLS 1.2 connection into Suite B mode, but at
>> handshake I get an error "no shared cipher".
>>
>> The server code is basically:
>>
>> SSL_CTX_new(TLSv1_2_server_method());
>> //ECDSA cert is added to the ctx
>> SSL_CTX_use_certificate(ctx_, serverCert.cert.get())
>> SSL_CTX_use_PrivateKey(ctx_, serverCert.privateKey.get())
>> SSL_CTX_set_cipher_list(ctx, "SUITEB128");
>> SSL_CTX_set_options(ctx_, SSL_OP_NO_TICKET);
>> SSL_CTX_set_session_cache_mode(ctx_, SSL_SESS_CACHE_BOTH);
>>
>> The client code is very similar.
>>
>> If I comment out the SSL_CTX_set_cipher_list call, it works and the
>> session is established with ECDH-ECDSA-AES256-GCM-SHA384.
>>
>> I suspect I need to provide the server with ephemeral ECDH keys, but I
>> cannot figure out how to do that.
>>
>> Does anyone have a working example to share?
>>
>
> Firstly you have to use OpenSSL 1.0.2 or this wont work.
>
> With 1.0.2 you just need to set the server to use automatic ECDH parameters
> with:
>
> SSL_CTX_set_ecdh_auto(ctx, 1);
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
