On Thu, Jan 04, 2001 at 04:07:05AM -0600, Brian Smith wrote:
> I am just trying to get a simple DCC (IRC) connection established through SSL
> and when I use this code I get this result:
>
> int SSL_dcc_create(SocketList *s, int sock, int doconnect)
> {
> set_blocking(sock);
> if(doconnect)
> s->ctx = SSL_CTX_new (SSLv23_client_method());
> else
> s->ctx = SSL_CTX_new (SSLv23_server_method());
> s->ssl_fd = SSL_new (s->ctx);
> SSL_set_fd (s->ssl_fd, sock);
> if(doconnect)
> return SSL_connect (s->ssl_fd);
> return SSL_accept(s->ssl_fd);
> }
>
> On the client end I get:
>
> ��� error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
>
> On the server end I get:
>
> ��� error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
>
> Does anyone know what would cause this? Is it possible to have a server with no
> certificates or keyfiles? Or am I just missing something very obvious?
For a server to work without certificates you must enable the anonymous DH
ciphers on both client and server, which are not automatically enabled
due to security considerations: they easily allow man-in-the-middle attacks.
Use SSL_CTX_set_cipher_list("ADH:@STRENGTH"); on both client and server
(this will automatically disable all ciphers with certificates, for a more
detailed information about the setting of cipher suites see "man ciphers").
For ADH to work the server must have DH parameters available, see
apps/s_server.c for examples.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
