Hello ! I have changed the order now - however, in my understanding, setting the ciphers is not required in any case. The behaviour is unfortunately still the same. Is there a way to debug the handshake further down ?
Thanks Florian Krishna M Singh wrote: > Hi > > I don't remember the internals of the SSL_CTX and SSL structures but t > we need to create SSL object once all the initialization of SSL_CTX is > completed... > m_ssl=SSL_new(m_ctx); > should come after all the calls to add cipher etc. that sets something > in the context are done else the m_ssl willn't inherit those > properties (unless it uses the pCtx stored inside to access those.)... > Actually some stuff (like Cert/Key) is copied inside SSL and some > stuff is referred from SSL thru pCtx from its CTX. So if sth is copied > to SSL than such init must be done before creating the SSL object.. > > HTH > -Krishna > > On 8/18/06, Florian G otter <[EMAIL PROTECTED]> wrote: > > Hello ! > > > > Here is again the complete code as of now. > > The restricitions are removed so far. > > > > Output from Server: > > SSL PrivateKey opened successfully > > LOG; Now accepting connections on fd...connection accepted. > > LOG; Now accepting (ssl)...SSL Handshake (SSL_accept) failed - error > > code -1 > > SSH Handshake error 1= SSL_ERROR_SSLErr during Handshake from SSL error > > queue: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared > > cipher > > > > Output from Client: > > bin/Linux_2.6.4# ./testConsumer > > SSL certificate opened successfully > > LOG; Trying to connect (fd)...connected. > > LOG; Trying to connect (ssl)...connecting SSL socket failed > > > > Many thanks ! > > > > Florian > > > > -- > > > > server.c > > ---------------------------------------------------- > > #include <sys/types.h> > > #include <sys/socket.h> > > #include <netinet/in.h> > > #include <arpa/inet.h> > > #include <iostream.h> > > #include <stdio.h> > > #include <stdlib.h> > > #include <string.h> > > #include </usr/include/openssl/ssl.h> > > #include </usr/include/openssl/err.h> > > #include </usr/include/openssl/crypto.h> > > #include </usr/include/openssl/x509.h> > > #include </usr/include/openssl/pem.h> > > > > #include <unistd.h> > > > > #define certificate_file "/root/security/server.crt" > > #define key_file "/root/security/server.key" > > #define CA_FILE "/certs/1024scert.pem" > > > > int main() > > { > > int m_fd; > > SSL* m_ssl; > > SSL_CTX* m_ctx; > > > > SSL_library_init(); > > SSL_load_error_strings(); > > > > m_ctx=SSL_CTX_new(SSLv3_server_method()); > > if(!m_ctx) > > { > > cout << "failed to create SSL context" << endl; > > } > > m_ssl=SSL_new(m_ctx); > > OpenSSL_add_all_algorithms(); > > > > if(!m_ssl) > > { > > cout << "failed to create SSL structure" << endl; > > } > > > > if((SSL_use_PrivateKey_file(m_ssl,key_file,1))!=1) > > { > > cout << "SSL PrivateKey file error - did not open" << endl; > > } > > else > > { > > cout << "SSL PrivateKey opened successfully" << endl; > > } > > > > // Create socket. > > if ((m_fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) > > { > > cout << "Failed to create socket." << endl; > > } > > > > // Assign a port adress to the socket. > > struct sockaddr_in local_addr; > > memset((char *) &local_addr, 0, sizeof(sockaddr_in)); // zero out > > local > > address > > local_addr.sin_family = AF_INET; > > local_addr.sin_addr.s_addr = inet_addr("10.1.18.65"); > > local_addr.sin_port = 2000; > > > > if (bind(m_fd, (struct sockaddr *) &local_addr, sizeof(local_addr)) == > > > > -1) > > { > > cout << "Failed to assign adress to socket." << endl; > > } > > > > // Start listening. > > if (listen(m_fd, 128) == -1) > > { > > cout << "Failed to listen to port." << endl; > > } > > > > struct sockaddr_in rem_add; > > socklen_t size(sizeof(sockaddr_in)); > > memset((char *)&rem_add, 0, size); > > > > // Accept connections. > > cout << "LOG; Now accepting connections on fd..."; > > if ((m_fd = accept(m_fd, (struct sockaddr *)&rem_add, &size)) == -1) > > { > > cout << "failed" << endl; > > } > > else > > { > > cout << "connection accepted."<< endl; > > > > if(SSL_set_fd(m_ssl, m_fd)!=1) //Mask initial FD as SSL socket - > > from > > here only use the ssl FD > > { > > cout << "Opening SSL connection FD failed" << endl; > > } > > > > cout << "LOG; Now accepting (ssl)..."; > > > > // !!! > > int a(SSL_accept(m_ssl)); > > > > if(a==1) // Wait for SSL Handshake from the other side > > { > > cout << "SSL Handshake successful" << endl; > > } > > else > > { > > cout << "SSL Handshake (SSL_accept) failed - error code " << a << > > endl; > > > > int length(0); > > int errorCode = SSL_get_error(m_ssl, length); > > cout << "SSH Handshake error " << errorCode << "= "; > > > > switch (errorCode) > > { > > case SSL_ERROR_NONE: cout << "SSL_ERROR_NONE"; > > break; > > case SSL_ERROR_ZERO_RETURN: cout << "SSL_ERROR_ZERO_RETURN"; > > break; > > case SSL_ERROR_WANT_READ: cout << "SSL_ERROR_WANT_READ"; > > break; > > case SSL_ERROR_WANT_WRITE: cout << "SSL_ERROR_WANT_WRITE"; > > break; > > case SSL_ERROR_WANT_CONNECT: cout << "SSL_ERROR_WANT_CONNECT"; > > break; > > case SSL_ERROR_WANT_ACCEPT: cout << "SSL_ERROR_WANT_ACCEPT"; > > break; > > case SSL_ERROR_WANT_X509_LOOKUP: cout << > > "SSL_ERROR_WANT_X509_LOOKUP"; > > break; > > case SSL_ERROR_SYSCALL: cout << "SSL_ERROR_SYSCALL"; > > break; > > case SSL_ERROR_SSL: cout << "SSL_ERROR_SSL"; > > break; > > } > > > > unsigned long err(ERR_get_error()); > > cout << "Err during Handshake from SSL error queue: " << > > ERR_error_string(err, NULL) << endl; > > } > > } > > } > > > > ---------------------------------------------------- > > > > client.c > > ---------------------------------------------------- > > #include <sys/types.h> > > #include <sys/socket.h> > > #include <netinet/in.h> > > #include <arpa/inet.h> > > #include <iostream.h> > > #include <stdio.h> > > #include <stdlib.h> > > #include <string.h> > > #include </usr/include/openssl/ssl.h> > > #include </usr/include/openssl/err.h> > > #include </usr/include/openssl/crypto.h> > > #include </usr/include/openssl/x509.h> > > #include </usr/include/openssl/pem.h> > > > > #include <unistd.h> > > > > #define certificate_file "/root/security/server.crt" > > #define key_file "/root/security/server.key" > > #define CA_FILE "/certs/1024scert.pem" > > > > > > enum messageType_e > > { > > MESSAGE_TYPE_REQUEST, > > MESSAGE_TYPE_RETURN, > > MESSAGE_TYPE_RESPONSE, > > MESSAGE_TYPE_DATAGRAM > > }; > > > > int main() > > { > > int m_fd; > > SSL* m_ssl; > > SSL_CTX* m_ctx; > > SSL_library_init(); //FG: Initialize the SSL Libs > > SSL_load_error_strings(); //FG: Load the error messages > > > > > > > > // Create socket. > > if ((m_fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) > > { > > cout << "Failed to create non-secure socket." << endl; > > } > > > > struct sockaddr_in remote_addr; > > > > // SSL_CTX *ssl_ctx_server = SSL_CTX_new(SSLv23_server_method()); > > m_ctx=SSL_CTX_new(SSLv3_client_method()); //FG: create a secure > > context > > if(!m_ctx) > > { > > cout << "failed to create SSL context" << endl; > > } > > > > m_ssl=SSL_new(m_ctx); > > > > if(!m_ssl) > > { > > cout << "failed to create SSL structure" << endl; > > } > > OpenSSL_add_all_algorithms(); > > if((SSL_use_certificate_file(m_ssl,certificate_file,1))!=1) //FG: > > Define SSL certificate to use > > { > > cout << "SSL certificate file error - did not open" << endl; > > } > > else > > { > > cout << "SSL certificate opened successfully" << endl; > > } > > > > > > > > memset((char *) &remote_addr, 0, sizeof(sockaddr_in)); // zero out > > local address > > remote_addr.sin_family = AF_INET; > > //remote_addr.sin_addr.s_addr = > > m_context->getConfiguration().m_ipAddress; > > //remote_addr.sin_port = > > htons(m_context->getConfiguration().m_port); > > > > remote_addr.sin_addr.s_addr = inet_addr("10.1.18.65"); > > remote_addr.sin_port = 2000; > > > > cout << "LOG; Trying to connect (fd)..."; > > > > if (connect(m_fd, (struct sockaddr *)&remote_addr, sizeof > > remote_addr) > > == -1) > > { > > > > cout << "Failed to connect secure channel. Channel not open." << endl; > > } > > else > > { > > cout << "connected." << endl; > > } > > > > if(SSL_set_fd(m_ssl, m_fd)!=1) //Mask initial FD as SSL socket - > > > > from here only use the ssl FD > > { > > cout << "Opening SSL connection FD failed" << endl; > > } > > > > sleep(10); > > > > cout << "LOG; Trying to connect (ssl)..."; > > if(SSL_connect(m_ssl)!=1) //Connect SSL socket > > { > > cout << "connecting SSL socket failed" << endl; > > } > > else > > { > > cout << "connected." << endl; > > } > > > > // FORK. > > > > int length(0); > > > > while (true) > > { > > // Extract message type. > > messageType_e messageType; > > if ((length = SSL_read(m_ssl, &messageType, sizeof(messageType_e))) < > > 0) > > { > > int errorCode = SSL_get_error(m_ssl, length); > > cout << "Channel State error " << errorCode << "=" << endl; > > switch (errorCode) > > { > > case SSL_ERROR_NONE: cout << "SSL_ERROR_NONE"; > > break; > > case SSL_ERROR_ZERO_RETURN: cout << "SSL_ERROR_ZERO_RETURN"; > > break; > > case SSL_ERROR_WANT_READ: cout << "SSL_ERROR_WANT_READ"; > > break; > > case SSL_ERROR_WANT_WRITE: cout << "SSL_ERROR_WANT_WRITE"; > > break; > > case SSL_ERROR_WANT_CONNECT: cout << "SSL_ERROR_WANT_CONNECT"; > > break; > > case SSL_ERROR_WANT_ACCEPT: cout << "SSL_ERROR_WANT_ACCEPT"; > > break; > > case SSL_ERROR_WANT_X509_LOOKUP: cout << > > "SSL_ERROR_WANT_X509_LOOKUP"; > > break; > > case SSL_ERROR_SYSCALL: cout << "SSL_ERROR_SYSCALL"; > > break; > > case SSL_ERROR_SSL: cout << "SSL_ERROR_SSL"; > > break; > > } > > > > unsigned long err(ERR_get_error()); > > cout << "Err from SSL error queue: " << ERR_error_string(err, NULL) > > > > << endl; > > } > > > > } > > } > > > > ______________________________________________________________________ > > OpenSSL Project http://www.openssl.org > > User Support Mailing List openssl-users@openssl.org > > Automated List Manager [EMAIL PROTECTED] > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]