Re: s-client/s_server setup for DH-RC4

Thu, 16 Mar 2000 10:03:33 -0800 

On Thu, Mar 16, 2000 at 12:05:28PM -0500, Bob McConnell wrote:
> The basic commands (in two different shell windows) are:
> 
>     openssl s_server -tls1 -debug -nocert -dhparam dhparam.pem
> 
>     openssl s_client -tls1 -debug -cipher DHE-DSS-RC4-SHA
> 
> They consistently connect and drop out reporting "no shared cipher" errors.
> I have tried this both with and without the -cipher parameter and get the
> same results.

What are you trying to achieve?
- The s_server with -nocert will only work with ADH (anonymous DH) ciphers.
  These are not activated by default. To activate them, use something like
  openssl s_server ... -cipher "ALL:RC4+RSA:+SSLv2:@STRENGTH"
  (Since you already decided you want tlsv1 and no authentication, you can
  even just use ADH:@STRENGTH)
  * To make it clear: -nocert can not work without activating ADH ciphers,
    regardless whatever client connection you try!!!!!!!
- The cipher DHE-DSS-RC4-SHA is flagged in ssl/ssl_ciph.c:561 as:
  SSL_kEDH|SSL_aDSS|SSL_RC4|SSL_SHA|SSL_TLSV1,
  The SSL_aDSS being the code for "DSS authentication", hence you need a
  certificate following the Digital Signature Standard (hence a DSA key).
  This contradicts the "Anonymous DH" approach in s_server...
  Since you don't have a DSA cert, the DHE-DSS-RC4-SHA does not work
  and hence: no shared cipher.

> What else has to be set up or added to make this pair work together? Is
> there a better cipher set to use for a DH-RC4 (128 bit) startup?
Probably you want the connection without certificate? Then you need
ADH-RC4-MD5. Beware, this is an SSL-v3 cipher, so the -tls1 might not be
necessary.

openssl s_server -tls1 -debug -nocert -dhparam dhparam.pem -cipher ADH-RC4-MD5
openssl s_client -tls1 -debug -cipher ADH-RC4-MD5

Best regards,
        Lutz
-- 
Lutz Jaenicke                             [EMAIL PROTECTED]
BTU Cottbus               http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik                  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus              Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to