Hello !
I have changed the order now - however, in my understanding, setting the
ciphers is not required in any case.
The behaviour is unfortunately still the same.
Is there a way to debug the handshake further down ?
Thanks
Florian
Krishna M Singh wrote:
> Hi
>
> I don't remember the internals of the SSL_CTX and SSL structures but t
> we need to create SSL object once all the initialization of SSL_CTX is
> completed...
> m_ssl=SSL_new(m_ctx);
> should come after all the calls to add cipher etc. that sets something
> in the context are done else the m_ssl willn't inherit those
> properties (unless it uses the pCtx stored inside to access those.)...
> Actually some stuff (like Cert/Key) is copied inside SSL and some
> stuff is referred from SSL thru pCtx from its CTX. So if sth is copied
> to SSL than such init must be done before creating the SSL object..
>
> HTH
> -Krishna
>
> On 8/18/06, Florian G otter <[EMAIL PROTECTED]> wrote:
> > Hello !
> >
> > Here is again the complete code as of now.
> > The restricitions are removed so far.
> >
> > Output from Server:
> > SSL PrivateKey opened successfully
> > LOG; Now accepting connections on fd...connection accepted.
> > LOG; Now accepting (ssl)...SSL Handshake (SSL_accept) failed - error
> > code -1
> > SSH Handshake error 1= SSL_ERROR_SSLErr during Handshake from SSL error
> > queue: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared
> > cipher
> >
> > Output from Client:
> > bin/Linux_2.6.4# ./testConsumer
> > SSL certificate opened successfully
> > LOG; Trying to connect (fd)...connected.
> > LOG; Trying to connect (ssl)...connecting SSL socket failed
> >
> > Many thanks !
> >
> > Florian
> >
> > --
> >
> > server.c
> > ----------------------------------------------------
> > #include <sys/types.h>
> > #include <sys/socket.h>
> > #include <netinet/in.h>
> > #include <arpa/inet.h>
> > #include <iostream.h>
> > #include <stdio.h>
> > #include <stdlib.h>
> > #include <string.h>
> > #include </usr/include/openssl/ssl.h>
> > #include </usr/include/openssl/err.h>
> > #include </usr/include/openssl/crypto.h>
> > #include </usr/include/openssl/x509.h>
> > #include </usr/include/openssl/pem.h>
> >
> > #include <unistd.h>
> >
> > #define certificate_file "/root/security/server.crt"
> > #define key_file "/root/security/server.key"
> > #define CA_FILE "/certs/1024scert.pem"
> >
> > int main()
> > {
> > int m_fd;
> > SSL* m_ssl;
> > SSL_CTX* m_ctx;
> >
> > SSL_library_init();
> > SSL_load_error_strings();
> >
> > m_ctx=SSL_CTX_new(SSLv3_server_method());
> > if(!m_ctx)
> > {
> > cout << "failed to create SSL context" << endl;
> > }
> > m_ssl=SSL_new(m_ctx);
> > OpenSSL_add_all_algorithms();
> >
> > if(!m_ssl)
> > {
> > cout << "failed to create SSL structure" << endl;
> > }
> >
> > if((SSL_use_PrivateKey_file(m_ssl,key_file,1))!=1)
> > {
> > cout << "SSL PrivateKey file error - did not open" << endl;
> > }
> > else
> > {
> > cout << "SSL PrivateKey opened successfully" << endl;
> > }
> >
> > // Create socket.
> > if ((m_fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1)
> > {
> > cout << "Failed to create socket." << endl;
> > }
> >
> > // Assign a port adress to the socket.
> > struct sockaddr_in local_addr;
> > memset((char *) &local_addr, 0, sizeof(sockaddr_in)); // zero out
> > local
> > address
> > local_addr.sin_family = AF_INET;
> > local_addr.sin_addr.s_addr = inet_addr("10.1.18.65");
> > local_addr.sin_port = 2000;
> >
> > if (bind(m_fd, (struct sockaddr *) &local_addr, sizeof(local_addr)) ==
> >
> > -1)
> > {
> > cout << "Failed to assign adress to socket." << endl;
> > }
> >
> > // Start listening.
> > if (listen(m_fd, 128) == -1)
> > {
> > cout << "Failed to listen to port." << endl;
> > }
> >
> > struct sockaddr_in rem_add;
> > socklen_t size(sizeof(sockaddr_in));
> > memset((char *)&rem_add, 0, size);
> >
> > // Accept connections.
> > cout << "LOG; Now accepting connections on fd...";
> > if ((m_fd = accept(m_fd, (struct sockaddr *)&rem_add, &size)) == -1)
> > {
> > cout << "failed" << endl;
> > }
> > else
> > {
> > cout << "connection accepted."<< endl;
> >
> > if(SSL_set_fd(m_ssl, m_fd)!=1) //Mask initial FD as SSL socket -
> > from
> > here only use the ssl FD
> > {
> > cout << "Opening SSL connection FD failed" << endl;
> > }
> >
> > cout << "LOG; Now accepting (ssl)...";
> >
> > // !!!
> > int a(SSL_accept(m_ssl));
> >
> > if(a==1) // Wait for SSL Handshake from the other side
> > {
> > cout << "SSL Handshake successful" << endl;
> > }
> > else
> > {
> > cout << "SSL Handshake (SSL_accept) failed - error code " << a <<
> > endl;
> >
> > int length(0);
> > int errorCode = SSL_get_error(m_ssl, length);
> > cout << "SSH Handshake error " << errorCode << "= ";
> >
> > switch (errorCode)
> > {
> > case SSL_ERROR_NONE: cout << "SSL_ERROR_NONE";
> > break;
> > case SSL_ERROR_ZERO_RETURN: cout << "SSL_ERROR_ZERO_RETURN";
> > break;
> > case SSL_ERROR_WANT_READ: cout << "SSL_ERROR_WANT_READ";
> > break;
> > case SSL_ERROR_WANT_WRITE: cout << "SSL_ERROR_WANT_WRITE";
> > break;
> > case SSL_ERROR_WANT_CONNECT: cout << "SSL_ERROR_WANT_CONNECT";
> > break;
> > case SSL_ERROR_WANT_ACCEPT: cout << "SSL_ERROR_WANT_ACCEPT";
> > break;
> > case SSL_ERROR_WANT_X509_LOOKUP: cout <<
> > "SSL_ERROR_WANT_X509_LOOKUP";
> > break;
> > case SSL_ERROR_SYSCALL: cout << "SSL_ERROR_SYSCALL";
> > break;
> > case SSL_ERROR_SSL: cout << "SSL_ERROR_SSL";
> > break;
> > }
> >
> > unsigned long err(ERR_get_error());
> > cout << "Err during Handshake from SSL error queue: " <<
> > ERR_error_string(err, NULL) << endl;
> > }
> > }
> > }
> >
> > ----------------------------------------------------
> >
> > client.c
> > ----------------------------------------------------
> > #include <sys/types.h>
> > #include <sys/socket.h>
> > #include <netinet/in.h>
> > #include <arpa/inet.h>
> > #include <iostream.h>
> > #include <stdio.h>
> > #include <stdlib.h>
> > #include <string.h>
> > #include </usr/include/openssl/ssl.h>
> > #include </usr/include/openssl/err.h>
> > #include </usr/include/openssl/crypto.h>
> > #include </usr/include/openssl/x509.h>
> > #include </usr/include/openssl/pem.h>
> >
> > #include <unistd.h>
> >
> > #define certificate_file "/root/security/server.crt"
> > #define key_file "/root/security/server.key"
> > #define CA_FILE "/certs/1024scert.pem"
> >
> >
> > enum messageType_e
> > {
> > MESSAGE_TYPE_REQUEST,
> > MESSAGE_TYPE_RETURN,
> > MESSAGE_TYPE_RESPONSE,
> > MESSAGE_TYPE_DATAGRAM
> > };
> >
> > int main()
> > {
> > int m_fd;
> > SSL* m_ssl;
> > SSL_CTX* m_ctx;
> > SSL_library_init(); //FG: Initialize the SSL Libs
> > SSL_load_error_strings(); //FG: Load the error messages
> >
> >
> >
> > // Create socket.
> > if ((m_fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1)
> > {
> > cout << "Failed to create non-secure socket." << endl;
> > }
> >
> > struct sockaddr_in remote_addr;
> >
> > // SSL_CTX *ssl_ctx_server = SSL_CTX_new(SSLv23_server_method());
> > m_ctx=SSL_CTX_new(SSLv3_client_method()); //FG: create a secure
> > context
> > if(!m_ctx)
> > {
> > cout << "failed to create SSL context" << endl;
> > }
> >
> > m_ssl=SSL_new(m_ctx);
> >
> > if(!m_ssl)
> > {
> > cout << "failed to create SSL structure" << endl;
> > }
> > OpenSSL_add_all_algorithms();
> > if((SSL_use_certificate_file(m_ssl,certificate_file,1))!=1) //FG:
> > Define SSL certificate to use
> > {
> > cout << "SSL certificate file error - did not open" << endl;
> > }
> > else
> > {
> > cout << "SSL certificate opened successfully" << endl;
> > }
> >
> >
> >
> > memset((char *) &remote_addr, 0, sizeof(sockaddr_in)); // zero out
> > local address
> > remote_addr.sin_family = AF_INET;
> > //remote_addr.sin_addr.s_addr =
> > m_context->getConfiguration().m_ipAddress;
> > //remote_addr.sin_port =
> > htons(m_context->getConfiguration().m_port);
> >
> > remote_addr.sin_addr.s_addr = inet_addr("10.1.18.65");
> > remote_addr.sin_port = 2000;
> >
> > cout << "LOG; Trying to connect (fd)...";
> >
> > if (connect(m_fd, (struct sockaddr *)&remote_addr, sizeof
> > remote_addr)
> > == -1)
> > {
> >
> > cout << "Failed to connect secure channel. Channel not open." << endl;
> > }
> > else
> > {
> > cout << "connected." << endl;
> > }
> >
> > if(SSL_set_fd(m_ssl, m_fd)!=1) //Mask initial FD as SSL socket -
> >
> > from here only use the ssl FD
> > {
> > cout << "Opening SSL connection FD failed" << endl;
> > }
> >
> > sleep(10);
> >
> > cout << "LOG; Trying to connect (ssl)...";
> > if(SSL_connect(m_ssl)!=1) //Connect SSL socket
> > {
> > cout << "connecting SSL socket failed" << endl;
> > }
> > else
> > {
> > cout << "connected." << endl;
> > }
> >
> > // FORK.
> >
> > int length(0);
> >
> > while (true)
> > {
> > // Extract message type.
> > messageType_e messageType;
> > if ((length = SSL_read(m_ssl, &messageType, sizeof(messageType_e))) <
> > 0)
> > {
> > int errorCode = SSL_get_error(m_ssl, length);
> > cout << "Channel State error " << errorCode << "=" << endl;
> > switch (errorCode)
> > {
> > case SSL_ERROR_NONE: cout << "SSL_ERROR_NONE";
> > break;
> > case SSL_ERROR_ZERO_RETURN: cout << "SSL_ERROR_ZERO_RETURN";
> > break;
> > case SSL_ERROR_WANT_READ: cout << "SSL_ERROR_WANT_READ";
> > break;
> > case SSL_ERROR_WANT_WRITE: cout << "SSL_ERROR_WANT_WRITE";
> > break;
> > case SSL_ERROR_WANT_CONNECT: cout << "SSL_ERROR_WANT_CONNECT";
> > break;
> > case SSL_ERROR_WANT_ACCEPT: cout << "SSL_ERROR_WANT_ACCEPT";
> > break;
> > case SSL_ERROR_WANT_X509_LOOKUP: cout <<
> > "SSL_ERROR_WANT_X509_LOOKUP";
> > break;
> > case SSL_ERROR_SYSCALL: cout << "SSL_ERROR_SYSCALL";
> > break;
> > case SSL_ERROR_SSL: cout << "SSL_ERROR_SSL";
> > break;
> > }
> >
> > unsigned long err(ERR_get_error());
> > cout << "Err from SSL error queue: " << ERR_error_string(err, NULL)
> >
> > << endl;
> > }
> >
> > }
> > }
> >
> > ______________________________________________________________________
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing List openssl-users@openssl.org
> > Automated List Manager [EMAIL PROTECTED]
> >
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
