Re: 1.0.0a s_server with GOST certificate can't compute sha1 digest???

Sat, 13 Nov 2010 19:08:51 -0800 

On Sat, Nov 13, 2010, Andrey Kulikov wrote:

> Hello,
> 
> On 13 November 2010 03:33, Dr. Stephen Henson <st...@openssl.org> wrote:
> >
> > I've just tried 1.0.1 and it does have a problem with GOST and TLS v1.1 
> > which
> > is the default for OpenSSL 1.0.1. If you include -no_tls1_1 in the command
> > line it should work or if you try a recent 1.0.0 snapshot (OpenSSL 1.0.0
> > doesn't support TLS v1.1).
> >
> > I'll look into the TLS v1.1 issue.
> >
> > Steve.
> 
> 
> Sorry to confuse you - I've mixed up versions and snapshot filenames.
> I just re-check these snapshots of 1.0.0
> ftp://ftp.openssl.org/snapshot/openssl-1.0.0-stable-SNAP-20101112.tar.gz
> and 1.0.1
> ftp://ftp.openssl.org/snapshot/openssl-1.0.1-stable-SNAP-20101112.tar.gz
> 
> I disable TSL in there:
> ./config no-tls
> 
> I add "-ssl3" parameter to s_server and s_client commands.
> 
> ./apps/openssl s_server -ssl3  -www -engine gost -accept 4333  -state
> -cert botcert.pem -key botkey.p8
> ./apps/openssl s_client -ssl3 -engine gost  -connect localhost:4333
> 
> And both of these versions are not working in the same way.
> 
> s_server
> =================
> SSL3 alert write:fatal:bad record mac
> SSL_accept:error in SSLv3 read certificate verify A
> 3076736652:error:1411D144:SSL routines:ssl3_handshake_mac:digest
> requred for handshake isn't computed:s3_enc.c:668:
> =================
> 
> s_client
> =================
> verify return:1
> 3076413068:error:1411D144:SSL routines:ssl3_handshake_mac:digest
> requred for handshake isn't computed:s3_enc.c:668:
> =================
> 

Sorry I missed the -ssl3 command option in your other messages. The GOST
ciphersuites don't work with SSLv3 but OpenSSL shouldn't be giving that error
message: it should just disable GOST ciphersuites if SSLv3 is negotiated.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to