SSL[_CTX]_set_cipher_list((is_ctx ? ctx : ssl),"STRONG:@STRENGTH") is your friend. I believe it defaults to essentially "NONE", but I could be wrong on that one -- I just know that "unable to negotiate a shared cipher" means that the cipher list sent by the client has a null union with the cipher list supported by the server.
-Kyle H On Sun, Apr 25, 2010 at 12:07 AM, Modem Man <modem-...@gmx.net> wrote: > Dear Stephen and dear all, > > regarding Stephen's question below: > > On Sat, Apr 24, 2010, Modem Man wrote: > > > > Dear all, > > I'm fiddling since two days with BIO_do_handshake(), and always have no > luck. > I'm afraid, it's time to cry for help now. > > *Short description:* > After BIO_do_handshake() always returns -1, I always get the message: > /error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher/ > > from my error printing loop, which is: > while( (code=ERR_get_error_line_data( &file, &line, &data, &flags ) ) != > 0 ) { > ERR_error_string_n( code, errX, sizeof(errX) ); > syslog( LOG_ERROR, "!> %s", errX ); > }; > > > *Detailed description:* > The code until the BIO_do_handshake() doing as follows: > > 1) building a BIO chain, consisting of an accept_socket BIO and a buffer > BIO. > 2) accept / pop as usually > 3) BIO_gets / BIO_puts, all working fine in non-SSL mode > please note: it is a FTP Server, completely written in OpenSSL > BIO_xxxx and working fine since 2 weeks - until I try to add SSL to my > BIO chain > when we arrive here, it is the 1st command from the sftp client: > > 4) if seen "AUTH TLS" or "AUTH SSL", I do answering: > "234 AUTH command ok; starting SSL connection.\r\n", > this sets the client into SSL mode, too. > Next, I do inserting a SSL BIO by the following sequence: > (stripped error-check here, but can say, all functions returning ok > so far) > > SSL_CTX * ctx; > SSL * ssl; > BIO * sslBIO, *bSock; > > ctx = SSL_CTX_new( SSLv23_method() ); > SSL_CTX_set_options( ctx, (SSL_OP_NO_SSLv2 | SSL_OP_ALL) ); > SSL_CTX_set_mode( ctx, SSL_MODE_AUTO_RETRY ); > SSL_CTX_set_cipher_list( ctx, "ALL:DEFAULT:LOW" ); /* also not > working: "ALL:!ADH:!LOW:!EXP:!MD5" */ > SSL_CTX_set_default_verify_paths( ctx ); > // CAFILE is ..../debug/servercert.pem > // CAPATH is ...../debug path itself, there is also serverkey.pem > SSL_CTX_load_verify_locations( ctx, CAFILE, CAPATH ) ); > SSL_CTX_set_verify( ctx, SSL_VERIFY_PEER, verify_cert_callback_foo ); > SSL_CTX_set_verify_depth( ctx, VERIFY_DEPTH + 1 ); > > sslBIO = BIO_new_ssl( ctx, 0 /*server*/ ); > BIO_get_ssl(sslBIO, &ssl); > SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY); > > bBuff = myContext->bio; /* this is the bio I'm already using: > BUFFER+ACCEPT_SOCKET */ > bSock = BIO_pop( bBuff ); /* get the raw socket-bio */ > BIO_set_callback( sslBIO, BIO_debug_callback_foo ); > /* reassemble the chain, now with SSL in the middle: */ > myContext->bio = BIO_push( bBuff, BIO_push( sslBIO, bSock ) ); > BIO_do_handshake( sslBIO ); > !Bang! here I die .... > > Need to say: Windows XP pro SP3, Client is TotalCommander 7.02 with > built in sftp via OpenSSL > > Any hint? Help? Suggestion? > Any knowledge of Bug in Totalcommander? > Any Idea of another cost-free sftp client, I can try? > > I would appreciate EVERYTHING that brings me a step further... > > > > Have you included OpenSSL_add_all_algorithms() and/or SSL_library_init()? > > > Yes, I have. Just missed to write it down here, since it is already in > main(). Sorry. > > My_InitCryptoSeed(); > ERR_load_BIO_strings(); > ERR_load_crypto_strings(); > SSL_library_init(); > SSL_load_error_strings(); > OpenSSL_add_all_algorithms(); > > How could I see, which ciphers the 'other side' is offending? May be, you > can give me one more hint? I thought, it could it be a good idea to > temporarily modify may server, so he immediately jumps into the "AUTH TLS" > handler. So, next, I tested with command > > openssl s_client -connect localhost:21 > > and got: > > Loading 'screen' into random state - done > CONNECTED(00000720) > 5756:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert > handshake failure:.\ssl\s23_clnt.c:658: > --- > no peer certificate available > --- > No client certificate CA names sent > --- > SSL handshake has read 7 bytes and written 210 bytes > --- > New, (NONE), Cipher is (NONE) > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > --- > > This looks, is if my server _failed_ to load SSL_CTX_load_verify_locations( > ctx, CAFILE, CAPATH ), right? > I have: > #define CAFILE > "d:\\proj.svn\\common\\openssl-1.0.0\\_MyCerts\\servercert.pem" > #define CAPATH "d:\\proj.svn\\common\\openssl-1.0.0\\_MyCerts" > and there is almost everything *.pem stuff laying around. > When using already compiled openssl.exe, the <openssl.cnf> file is loaded > from > d:\proj.svn\common\openssl-1.0.0\ssl\openssl.cnf, > so I modified there: > HOME = d:\proj.svn\common\openssl-1.0.0\_MyCerts > [ CA_default ] > dir = d:\proj.svn\common\openssl-1.0.0\_MyCerts # Where > everything is kept > But I do not know, if my server.exe also loads from there... > I also don't know, if my pem files are okay, since I'm pretty new in this > SSL business. > My serverkey.pem is: > -----BEGIN RSA PRIVATE KEY----- > some base64 stuff > -----END RSA PRIVATE KEY----- > > My servercert.pem is: > -----BEGIN CERTIFICATE----- > some base64 stuff > -----END CERTIFICATE----- > > ca_cert.pem is: > -----BEGIN CERTIFICATE----- > some base64 stuff > -----END CERTIFICATE----- > > The only file with such content: > __________________________________ > Certificate: > Data: > Version: 3 (0x2) > Serial Number: 2 (0x2) > Signature Algorithm: sha1WithRSAEncryption > Issuer: C=DE, ST=NS, L=Hannover, O=Ich AG, CN=Modem > Man/emailAddress=modem-man .... > __________________________________ > > is 02.pem in the _MyCerts dir and is referenced by index.txt as: > V 200421174822Z 02 unknown /C=DE/ST=NS/O=Ich > AG/CN=192.168.0.192 > > > So I completely ran out of ideas here.... > > with very best regards, > Modem Man > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org User Support Mailing List > openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org