The fix discussed in this thread appears to be incomplete: http://marc.info/?l=openssl-users&m=140752401023837&w=2
This fix works for SRP cipher suites that uses RSA for DSA, which includes 6 of the 9 supported SRP cipher suites. But the three SRP cipher suites that don't rely on a server-side certificate are still broken. This problem can be recreated using these commands: openssl s_server -srpvfile passwd.srpv -nocert -cipher 'ALL:!eNULL:!SSLv2:!EXPORT:SRP' openssl s_client -cipher SRP -srpuser estuser The error observed on the server-side is: 3075913352:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:1359: The attached patch resolves the problem.
*** ssl_lib.c.orig 2014-08-11 14:57:47.617720888 -0400 --- ssl_lib.c 2014-08-11 14:58:09.449746325 -0400 *************** void ssl_set_cert_masks(CERT *c, const S *** 2138,2143 **** --- 2138,2150 ---- mask_a|=SSL_aNULL; emask_a|=SSL_aNULL; + #ifndef OPENSSL_NO_SRP + if (cipher->algorithm_auth & SSL_aSRP) { + mask_a |= SSL_aSRP; + emask_a |= SSL_aSRP; + } + #endif + #ifndef OPENSSL_NO_KRB5 mask_k|=SSL_kKRB5; mask_a|=SSL_aKRB5;