Hello Experts, I'm new to OpenSSL so please bear with me.
I'm trying to construct a simple example that uses a recent OpenSSL 1.0.1 snapshot to create secure connection using SRP without using any certificates. I am aware 1.0.1 is not yet released, but I've been told this should be possible. Here's how I'm setting up the client: srpclient.c: SSL_load_error_strings(); OpenSSL_add_all_ciphers(); OpenSSL_add_all_digests(); (void) SSL_library_init(); // always succeeds per man page const SSL_METHOD *meth = TLSv1_client_method(); SSL_CTX *ctx = SSL_CTX_new(meth); SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2); SSL_CTX_SRP_CTX_init(ctx); if (SSL_CTX_set_cipher_list(ctx, "aNULL:!eNULL:!LOW:!EXPORT:@STRENGTH") != 1) handleError("SSL_CTX_set_cipher_list failed"); if (SSL_CTX_set_srp_username(ctx, (char *) USER_NAME) != 1) handleError("SSL_CTX_set_srp_username failed"); if (SSL_CTX_set_srp_password(ctx, (char *) PASSWORD) != 1) handleError("SSL_CTX_set_srp_password failed"); if (SSL_CTX_set_srp_strength(ctx, 1024) != 1) handleError("SSL_CTX_set_srp_strength failed"); SSL *ssl = SSL_new(ctx); if (ssl == NULL) handleError("SSL_new failed"); if (SSL_set_fd(ssl, sock) != 1) handleError("SSL_set_fd failed"); int rc = SSL_connect(ssl); ================================= and here is the server side: ================================= srpserver.c: SSL_load_error_strings(); OpenSSL_add_all_ciphers(); OpenSSL_add_all_digests(); (void) SSL_library_init(); // always succeeds per man page // const SSL_METHOD *meth = SSLv23_server_method(); const SSL_METHOD *meth = TLSv1_server_method(); SSL_CTX *ctx = SSL_CTX_new(meth); SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2); SSL_CTX_SRP_CTX_init(ctx); if (SSL_CTX_set_cipher_list(ctx, "aNULL:!eNULL:!LOW:!EXPORT:@STRENGTH") != 1) handleError("SSL_CTX_set_cipher_list failed"); SSL *ssl = SSL_new(ctx); if (ssl == NULL) { handleError("SSL_new() failed"); } if (SSL_set_fd(ssl, sock) != 1) handleError("SSL_set_fd failed"); if (SSL_set_srp_server_param_pw(ssl, USER_NAME, PASSWORD, "1024") != 1) handleError("SSL_set_srp_server_param_pw failed"); int rc = SSL_accept(ssl); ========================= On the server side I get this output: normg@conifer>./srpserver Server is starting to listen on port 57784 Server is starting accept on port 57784 TCP/IP Connection accepted SSL_accept failed, error=SSL_ERROR_SSL Details: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher s3_srvr.c at 1306 ============================ and on the client I get: normg@conifer>./srpclient TCP/IP connect succeeded SSL_connect failed, error=SSL_ERROR_SSL Details: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure s3_pkt.c at 1227 I've tried using various SSL methods such as SSLv3 and TLS_1_1, but I always get the same error. It looks to me like the client still wants a cert from the server. Another strange thing is that the following output seems to indicate the SRP ciphers seem to need SSLv3 instead of TLS1.x : normg@conifer>./openssl ciphers -v 'ALL:eNULL' |grep -i SRP SRP-DSS-AES-256-CBC-SHA SSLv3 Kx=SRP Au=DSS Enc=AES(256) Mac=SHA1 SRP-RSA-AES-256-CBC-SHA SSLv3 Kx=SRP Au=RSA Enc=AES(256) Mac=SHA1 SRP-AES-256-CBC-SHA SSLv3 Kx=SRP Au=None Enc=AES(256) Mac=SHA1 SRP-DSS-3DES-EDE-CBC-SHA SSLv3 Kx=SRP Au=DSS Enc=3DES(168) Mac=SHA1 SRP-RSA-3DES-EDE-CBC-SHA SSLv3 Kx=SRP Au=RSA Enc=3DES(168) Mac=SHA1 SRP-3DES-EDE-CBC-SHA SSLv3 Kx=SRP Au=None Enc=3DES(168) Mac=SHA1 SRP-DSS-AES-128-CBC-SHA SSLv3 Kx=SRP Au=DSS Enc=AES(128) Mac=SHA1 SRP-RSA-AES-128-CBC-SHA SSLv3 Kx=SRP Au=RSA Enc=AES(128) Mac=SHA1 SRP-AES-128-CBC-SHA SSLv3 Kx=SRP Au=None Enc=AES(128) Mac=SHA1 normg@conifer>./openssl version OpenSSL 1.0.1-dev xx XXX xxxx Can anyone point me the right direction so I can get a simple SRP example to work? Thanks for any help, Norm Green VMware, Inc. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org