The fix discussed in this thread appears to be incomplete:
http://marc.info/?l=openssl-users&m=140752401023837&w=2
This fix works for SRP cipher suites that uses RSA for DSA, which
includes 6 of the 9 supported SRP cipher suites. But the three SRP
cipher suites that don't rely on a server-side certificate are still
broken. This problem can be recreated using these commands:
openssl s_server -srpvfile passwd.srpv -nocert -cipher
'ALL:!eNULL:!SSLv2:!EXPORT:SRP'
openssl s_client -cipher SRP -srpuser estuser
The error observed on the server-side is:
3075913352:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared
cipher:s3_srvr.c:1359:
The attached patch resolves the problem.
*** ssl_lib.c.orig 2014-08-11 14:57:47.617720888 -0400
--- ssl_lib.c 2014-08-11 14:58:09.449746325 -0400
*************** void ssl_set_cert_masks(CERT *c, const S
*** 2138,2143 ****
--- 2138,2150 ----
mask_a|=SSL_aNULL;
emask_a|=SSL_aNULL;
+ #ifndef OPENSSL_NO_SRP
+ if (cipher->algorithm_auth & SSL_aSRP) {
+ mask_a |= SSL_aSRP;
+ emask_a |= SSL_aSRP;
+ }
+ #endif
+
#ifndef OPENSSL_NO_KRB5
mask_k|=SSL_kKRB5;
mask_a|=SSL_aKRB5;
