On Fri, Oct 22, 2004, Tyler Durden wrote: > Hi, > I have created a server and a client that connection and communicate > well if I use this ciphers: > "NULL-MD5", "NULL-SHA", "EXP-RC4-MD5", "RC4-MD5", "RC4-SHA", > "EXP-RC2-CBC-MD5", "IDEA-CBC-SHA", "EXP-DES-CBC-SHA", "DES-CBD-SHA", > "DES-CBC3-SHA", "AES128-SHA"," AES256-SHA". > > The client and the server use the TLSv1 protocol. > > My problem is that I want use the others TLSv1 ciphers this error happen: > 2042:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared > cipher:s3_srvr.c:882: > > But I do not understand this, because I use the same cipher for > client, that for server. > > I am proving whit the EDH-RSA-DES-CBC-SHA but I do not happen. > > I generate the RSA key with the next command: > openssl genrsa -des3 -out rsaclient.key 1024 > > and the certificate: > openssl req -new -sha1 -x509 -key rsaclient.key -out rsaclient.crt > > Furthemore I add to the server this lines: > > RSA *rsa = NULL; > DH *dh = NULL; > FILE *dhParamFile; > > SSL_CTX_set_options( ctx, SSL_OP_EPHEMERAL_RSA ); > SSL_CTX_set_options( ctx, SSL_OP_SINGLE_DH_USE ); > dhParamFile = fopen( "dh_param_512.pem", "r" ); > dh = PEM_read_DHparams( dhParamFile, NULL, NULL, NULL ); > fclose( dhParamFile ); > rsa = RSA_generate_key( 1024, RSA_F4, NULL, NULL ); > SSL_CTX_set_tmp_rsa( ctx, rsa ); > > > The connection was successful with the ciphers that write to the start > the e-mail with this code added. > > PS: I use the same certificate an key for server and client, the > server call to SSL_CTX_set_veirify( SSL_CTX *ctx, SSL_VERIFY_PEER, > verify_callback ); > but verify_callaback return 1, so the cert of client always is > accepted by server. > >
You need to include a call to SSL_CTX_set_tmp_dh() which the DH parameters too. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
