Is there no one that can help me get a simple SRP test case working? Or should I conclude SRP is broken in OpenSSL 1.0.1?
>From the output below, it appears the client and server support no less than 9 >ciphers in common. Why then do I get the "no shared cipher" error? I rebuilt the library with -DCIPHER_DEBUG and now get the following output from the handshake: --------------------------------------------------------------- server: openssl s_server -cipher SRP -nocert -tls1 -accept 57784 -debug <SRP-DSS-AES-256-CBC-SHA> <SRP-RSA-AES-256-CBC-SHA> <SRP-AES-256-CBC-SHA> <SRP-DSS-3DES-EDE-CBC-SHA> <SRP-RSA-3DES-EDE-CBC-SHA> <SRP-3DES-EDE-CBC-SHA> <SRP-DSS-AES-128-CBC-SHA> <SRP-RSA-AES-128-CBC-SHA> <SRP-AES-128-CBC-SHA> ACCEPT read from 0x7e6f30 [0x7ec523] (5 bytes => 5 (0x5)) 0000 - 16 03 01 00 55 ....U read from 0x7e6f30 [0x7ec528] (85 bytes => 85 (0x55)) 0000 - 01 00 00 51 03 01 4e a8-bf bb 5d 89 f9 aa ae 3f ...Q..N...]....? 0010 - 5f df fd dd 70 1c 4d c1-91 09 94 84 47 2f 8e a7 _...p.M.....G/.. 0020 - 99 d3 fe 73 6a e1 00 00-14 c0 22 c0 21 c0 20 c0 ...sj.....".!. . 0030 - 1c c0 1b c0 1a c0 1f c0-1e c0 1d 00 ff 01 00 00 ................ 0040 - 14 00 0c 00 0c 0a 53 79-73 74 65 6d 55 73 65 72 ......SystemUser 0050 - 00 00 23 ..# 0055 - <SPACES/NULS> Server has 9 from 7df600: 77e0e8:SRP-DSS-AES-256-CBC-SHA 77e090:SRP-RSA-AES-256-CBC-SHA 77e038:SRP-AES-256-CBC-SHA 77ded8:SRP-DSS-3DES-EDE-CBC-SHA 77de80:SRP-RSA-3DES-EDE-CBC-SHA 77de28:SRP-3DES-EDE-CBC-SHA 77dfe0:SRP-DSS-AES-128-CBC-SHA 77df88:SRP-RSA-AES-128-CBC-SHA 77df30:SRP-AES-128-CBC-SHA Client sent 9 from 7df960: 77e0e8:SRP-DSS-AES-256-CBC-SHA 77e090:SRP-RSA-AES-256-CBC-SHA 77e038:SRP-AES-256-CBC-SHA 77ded8:SRP-DSS-3DES-EDE-CBC-SHA 77de80:SRP-RSA-3DES-EDE-CBC-SHA 77de28:SRP-3DES-EDE-CBC-SHA 77dfe0:SRP-DSS-AES-128-CBC-SHA 77df88:SRP-RSA-AES-128-CBC-SHA 77df30:SRP-AES-128-CBC-SHA rt=1 rte=1 dht=1 ecdht=1 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0 0:[00000400:00000002:00000188:00000084]77e0e8:SRP-DSS-AES-256-CBC-SHA rt=1 rte=1 dht=1 ecdht=1 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0 0:[00000400:00000001:00000188:00000084]77e090:SRP-RSA-AES-256-CBC-SHA rt=1 rte=1 dht=1 ecdht=1 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0 0:[00000400:00000004:00000188:00000084]77e038:SRP-AES-256-CBC-SHA rt=1 rte=1 dht=1 ecdht=1 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0 0:[00000400:00000002:00000188:00000084]77ded8:SRP-DSS-3DES-EDE-CBC-SHA rt=1 rte=1 dht=1 ecdht=1 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0 0:[00000400:00000001:00000188:00000084]77de80:SRP-RSA-3DES-EDE-CBC-SHA rt=1 rte=1 dht=1 ecdht=1 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0 0:[00000400:00000004:00000188:00000084]77de28:SRP-3DES-EDE-CBC-SHA rt=1 rte=1 dht=1 ecdht=1 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0 0:[00000400:00000002:00000188:00000084]77dfe0:SRP-DSS-AES-128-CBC-SHA rt=1 rte=1 dht=1 ecdht=1 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0 0:[00000400:00000001:00000188:00000084]77df88:SRP-RSA-AES-128-CBC-SHA rt=1 rte=1 dht=1 ecdht=1 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0 0:[00000400:00000004:00000188:00000084]77df30:SRP-AES-128-CBC-SHA write to 0x7e6f30 [0x7f5fd0] (7 bytes => 7 (0x7)) 0000 - 15 03 01 00 02 02 28 ......( ERROR 18446741324916266428:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:1306: shutting down SSL CONNECTION CLOSED --------------------------------------------------------------- Client: openssl s_client -srpuser SystemUser -srppass stdin -tls1 -cipher SRP -connect localhost:57784 -debug <SRP-DSS-AES-256-CBC-SHA> <SRP-RSA-AES-256-CBC-SHA> <SRP-AES-256-CBC-SHA> <SRP-DSS-3DES-EDE-CBC-SHA> <SRP-RSA-3DES-EDE-CBC-SHA> <SRP-3DES-EDE-CBC-SHA> <SRP-DSS-AES-128-CBC-SHA> <SRP-RSA-AES-128-CBC-SHA> <SRP-AES-128-CBC-SHA> CONNECTED(00000003) write to 0x7d23a0 [0x7f22e3] (90 bytes => 90 (0x5A)) 0000 - 16 03 01 00 55 01 00 00-51 03 01 4e a8 bf bb 5d ....U...Q..N...] 0010 - 89 f9 aa ae 3f 5f df fd-dd 70 1c 4d c1 91 09 94 ....?_...p.M.... 0020 - 84 47 2f 8e a7 99 d3 fe-73 6a e1 00 00 14 c0 22 .G/.....sj....." 0030 - c0 21 c0 20 c0 1c c0 1b-c0 1a c0 1f c0 1e c0 1d .!. ............ 0040 - 00 ff 01 00 00 14 00 0c-00 0c 0a 53 79 73 74 65 ...........Syste 0050 - 6d 55 73 65 72 00 00 23- mUser..# 005a - <SPACES/NULS> read from 0x7d23a0 [0x7edd83] (5 bytes => 5 (0x5)) 0000 - 15 03 01 00 02 ..... read from 0x7d23a0 [0x7edd88] (2 bytes => 2 (0x2)) 0000 - 02 28 .( 18446741324916266428:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1227:SSL alert number 40 18446741324916266428:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:592: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 0 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1319681979 Timeout : 7200 (sec) Verify return code: 0 (ok) --- ----- Original Message ----- > From: "Norm Green" <no...@vmware.com> > To: openssl-users@openssl.org > Sent: Tuesday, October 25, 2011 6:58:12 AM > Subject: Re: OpenSSL 1.0.1 example with SRP > > Hi Peter, > > Same error on the server: > > normg@conifer>./srpserver > > Server is starting to listen on port 57784 > > Server is starting accept on port 57784 > Connection accepted > SSL_accept failed, error=SSL_ERROR_SSL > Details: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared > cipher > s3_srvr.c at 1306 > /home/normg/gssua/srp > normg@conifer> > > > > Client output: > > normg@conifer>$GEMSTONE/bin/openssl s_client -srpuser SystemUser > -cipher SRP -connect localhost:57784 > CONNECTED(00000003) > 18446741324916266428:error:14094410:SSL > routines:SSL3_READ_BYTES:sslv3 alert handshake > failure:s3_pkt.c:1227:SSL alert number 40 > 18446741324916266428:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl > handshake failure:s3_pkt.c:592: > --- > no peer certificate available > --- > No client certificate CA names sent > --- > SSL handshake has read 7 bytes and written 0 bytes > --- > New, (NONE), Cipher is (NONE) > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > SSL-Session: > Protocol : TLSv1 > Cipher : 0000 > Session-ID: > Session-ID-ctx: > Master-Key: > Key-Arg : None > PSK identity: None > PSK identity hint: None > SRP username: None > Start Time: 1319550564 > Timeout : 7200 (sec) > Verify return code: 0 (ok) > --- > > > ----- Original Message ----- > > From: "Peter Sylvester" <peter.sylves...@gmail.com> > > To: openssl-users@openssl.org > > Sent: Tuesday, October 25, 2011 3:18:39 AM > > Subject: Re: OpenSSL 1.0.1 example with SRP > > > > On 10/25/2011 05:15 AM, Norm Green wrote: > > > Hello Experts, > > > > > > I'm new to OpenSSL so please bear with me. > > > > > > I'm trying to construct a simple example that uses a recent > > > OpenSSL > > > 1.0.1 snapshot to create secure connection using SRP without > > > using > > > any certificates. I am aware 1.0.1 is not yet released, but I've > > > been told this should be possible. > > try this first with s_client and s_server you need cipher SRP fo > > them > > > > what happens when you connect to your server with > > > > openssl s_client -srpuser <USER> -cipher SRP -connect > > server:port > > > > > > > > ______________________________________________________________________ > > OpenSSL Project > > http://www.openssl.org > > User Support Mailing List > > openssl-users@openssl.org > > Automated List Manager > > majord...@openssl.org > > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org