SSL[_CTX]_set_cipher_list((is_ctx ? ctx : ssl),"STRONG:@STRENGTH") is
your friend. I believe it defaults to essentially "NONE", but I could
be wrong on that one -- I just know that "unable to negotiate a shared
cipher" means that the cipher list sent by the client has a null union
with the cipher list supported by the server.
-Kyle H
On Sun, Apr 25, 2010 at 12:07 AM, Modem Man <modem-...@gmx.net> wrote:
> Dear Stephen and dear all,
>
> regarding Stephen's question below:
>
> On Sat, Apr 24, 2010, Modem Man wrote:
>
>
>
> Dear all,
>
> I'm fiddling since two days with BIO_do_handshake(), and always have no
> luck.
> I'm afraid, it's time to cry for help now.
>
> *Short description:*
> After BIO_do_handshake() always returns -1, I always get the message:
> /error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher/
>
> from my error printing loop, which is:
> while( (code=ERR_get_error_line_data( &file, &line, &data, &flags ) ) !=
> 0 ) {
> ERR_error_string_n( code, errX, sizeof(errX) );
> syslog( LOG_ERROR, "!> %s", errX );
> };
>
>
> *Detailed description:*
> The code until the BIO_do_handshake() doing as follows:
>
> 1) building a BIO chain, consisting of an accept_socket BIO and a buffer
> BIO.
> 2) accept / pop as usually
> 3) BIO_gets / BIO_puts, all working fine in non-SSL mode
> please note: it is a FTP Server, completely written in OpenSSL
> BIO_xxxx and working fine since 2 weeks - until I try to add SSL to my
> BIO chain
> when we arrive here, it is the 1st command from the sftp client:
>
> 4) if seen "AUTH TLS" or "AUTH SSL", I do answering:
> "234 AUTH command ok; starting SSL connection.\r\n",
> this sets the client into SSL mode, too.
> Next, I do inserting a SSL BIO by the following sequence:
> (stripped error-check here, but can say, all functions returning ok
> so far)
>
> SSL_CTX * ctx;
> SSL * ssl;
> BIO * sslBIO, *bSock;
>
> ctx = SSL_CTX_new( SSLv23_method() );
> SSL_CTX_set_options( ctx, (SSL_OP_NO_SSLv2 | SSL_OP_ALL) );
> SSL_CTX_set_mode( ctx, SSL_MODE_AUTO_RETRY );
> SSL_CTX_set_cipher_list( ctx, "ALL:DEFAULT:LOW" ); /* also not
> working: "ALL:!ADH:!LOW:!EXP:!MD5" */
> SSL_CTX_set_default_verify_paths( ctx );
> // CAFILE is ..../debug/servercert.pem
> // CAPATH is ...../debug path itself, there is also serverkey.pem
> SSL_CTX_load_verify_locations( ctx, CAFILE, CAPATH ) );
> SSL_CTX_set_verify( ctx, SSL_VERIFY_PEER, verify_cert_callback_foo );
> SSL_CTX_set_verify_depth( ctx, VERIFY_DEPTH + 1 );
>
> sslBIO = BIO_new_ssl( ctx, 0 /*server*/ );
> BIO_get_ssl(sslBIO, &ssl);
> SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
>
> bBuff = myContext->bio; /* this is the bio I'm already using:
> BUFFER+ACCEPT_SOCKET */
> bSock = BIO_pop( bBuff ); /* get the raw socket-bio */
> BIO_set_callback( sslBIO, BIO_debug_callback_foo );
> /* reassemble the chain, now with SSL in the middle: */
> myContext->bio = BIO_push( bBuff, BIO_push( sslBIO, bSock ) );
> BIO_do_handshake( sslBIO );
> !Bang! here I die ....
>
> Need to say: Windows XP pro SP3, Client is TotalCommander 7.02 with
> built in sftp via OpenSSL
>
> Any hint? Help? Suggestion?
> Any knowledge of Bug in Totalcommander?
> Any Idea of another cost-free sftp client, I can try?
>
> I would appreciate EVERYTHING that brings me a step further...
>
>
>
> Have you included OpenSSL_add_all_algorithms() and/or SSL_library_init()?
>
>
> Yes, I have. Just missed to write it down here, since it is already in
> main(). Sorry.
>
> My_InitCryptoSeed();
> ERR_load_BIO_strings();
> ERR_load_crypto_strings();
> SSL_library_init();
> SSL_load_error_strings();
> OpenSSL_add_all_algorithms();
>
> How could I see, which ciphers the 'other side' is offending? May be, you
> can give me one more hint? I thought, it could it be a good idea to
> temporarily modify may server, so he immediately jumps into the "AUTH TLS"
> handler. So, next, I tested with command
>
> openssl s_client -connect localhost:21
>
> and got:
>
> Loading 'screen' into random state - done
> CONNECTED(00000720)
> 5756:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
> handshake failure:.\ssl\s23_clnt.c:658:
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 7 bytes and written 210 bytes
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> ---
>
> This looks, is if my server _failed_ to load SSL_CTX_load_verify_locations(
> ctx, CAFILE, CAPATH ), right?
> I have:
> #define CAFILE
> "d:\\proj.svn\\common\\openssl-1.0.0\\_MyCerts\\servercert.pem"
> #define CAPATH "d:\\proj.svn\\common\\openssl-1.0.0\\_MyCerts"
> and there is almost everything *.pem stuff laying around.
> When using already compiled openssl.exe, the <openssl.cnf> file is loaded
> from
> d:\proj.svn\common\openssl-1.0.0\ssl\openssl.cnf,
> so I modified there:
> HOME = d:\proj.svn\common\openssl-1.0.0\_MyCerts
> [ CA_default ]
> dir = d:\proj.svn\common\openssl-1.0.0\_MyCerts # Where
> everything is kept
> But I do not know, if my server.exe also loads from there...
> I also don't know, if my pem files are okay, since I'm pretty new in this
> SSL business.
> My serverkey.pem is:
> -----BEGIN RSA PRIVATE KEY-----
> some base64 stuff
> -----END RSA PRIVATE KEY-----
>
> My servercert.pem is:
> -----BEGIN CERTIFICATE-----
> some base64 stuff
> -----END CERTIFICATE-----
>
> ca_cert.pem is:
> -----BEGIN CERTIFICATE-----
> some base64 stuff
> -----END CERTIFICATE-----
>
> The only file with such content:
> __________________________________
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 2 (0x2)
> Signature Algorithm: sha1WithRSAEncryption
> Issuer: C=DE, ST=NS, L=Hannover, O=Ich AG, CN=Modem
> Man/emailAddress=modem-man ....
> __________________________________
>
> is 02.pem in the _MyCerts dir and is referenced by index.txt as:
> V 200421174822Z 02 unknown /C=DE/ST=NS/O=Ich
> AG/CN=192.168.0.192
>
>
> So I completely ran out of ideas here....
>
> with very best regards,
> Modem Man
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org User Support Mailing List
> openssl-users@openssl.org Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
