Is there no one that can help me get a simple SRP test case working? Or should
I conclude SRP is broken in OpenSSL 1.0.1?
>From the output below, it appears the client and server support no less than 9
>ciphers in common. Why then do I get the "no shared cipher" error?
I rebuilt the library with -DCIPHER_DEBUG and now get the following output from
the handshake:
---------------------------------------------------------------
server:
openssl s_server -cipher SRP -nocert -tls1 -accept 57784 -debug
<SRP-DSS-AES-256-CBC-SHA>
<SRP-RSA-AES-256-CBC-SHA>
<SRP-AES-256-CBC-SHA>
<SRP-DSS-3DES-EDE-CBC-SHA>
<SRP-RSA-3DES-EDE-CBC-SHA>
<SRP-3DES-EDE-CBC-SHA>
<SRP-DSS-AES-128-CBC-SHA>
<SRP-RSA-AES-128-CBC-SHA>
<SRP-AES-128-CBC-SHA>
ACCEPT
read from 0x7e6f30 [0x7ec523] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 55 ....U
read from 0x7e6f30 [0x7ec528] (85 bytes => 85 (0x55))
0000 - 01 00 00 51 03 01 4e a8-bf bb 5d 89 f9 aa ae 3f ...Q..N...]....?
0010 - 5f df fd dd 70 1c 4d c1-91 09 94 84 47 2f 8e a7 _...p.M.....G/..
0020 - 99 d3 fe 73 6a e1 00 00-14 c0 22 c0 21 c0 20 c0 ...sj.....".!. .
0030 - 1c c0 1b c0 1a c0 1f c0-1e c0 1d 00 ff 01 00 00 ................
0040 - 14 00 0c 00 0c 0a 53 79-73 74 65 6d 55 73 65 72 ......SystemUser
0050 - 00 00 23 ..#
0055 - <SPACES/NULS>
Server has 9 from 7df600:
77e0e8:SRP-DSS-AES-256-CBC-SHA
77e090:SRP-RSA-AES-256-CBC-SHA
77e038:SRP-AES-256-CBC-SHA
77ded8:SRP-DSS-3DES-EDE-CBC-SHA
77de80:SRP-RSA-3DES-EDE-CBC-SHA
77de28:SRP-3DES-EDE-CBC-SHA
77dfe0:SRP-DSS-AES-128-CBC-SHA
77df88:SRP-RSA-AES-128-CBC-SHA
77df30:SRP-AES-128-CBC-SHA
Client sent 9 from 7df960:
77e0e8:SRP-DSS-AES-256-CBC-SHA
77e090:SRP-RSA-AES-256-CBC-SHA
77e038:SRP-AES-256-CBC-SHA
77ded8:SRP-DSS-3DES-EDE-CBC-SHA
77de80:SRP-RSA-3DES-EDE-CBC-SHA
77de28:SRP-3DES-EDE-CBC-SHA
77dfe0:SRP-DSS-AES-128-CBC-SHA
77df88:SRP-RSA-AES-128-CBC-SHA
77df30:SRP-AES-128-CBC-SHA
rt=1 rte=1 dht=1 ecdht=1 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0
0:[00000400:00000002:00000188:00000084]77e0e8:SRP-DSS-AES-256-CBC-SHA
rt=1 rte=1 dht=1 ecdht=1 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0
0:[00000400:00000001:00000188:00000084]77e090:SRP-RSA-AES-256-CBC-SHA
rt=1 rte=1 dht=1 ecdht=1 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0
0:[00000400:00000004:00000188:00000084]77e038:SRP-AES-256-CBC-SHA
rt=1 rte=1 dht=1 ecdht=1 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0
0:[00000400:00000002:00000188:00000084]77ded8:SRP-DSS-3DES-EDE-CBC-SHA
rt=1 rte=1 dht=1 ecdht=1 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0
0:[00000400:00000001:00000188:00000084]77de80:SRP-RSA-3DES-EDE-CBC-SHA
rt=1 rte=1 dht=1 ecdht=1 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0
0:[00000400:00000004:00000188:00000084]77de28:SRP-3DES-EDE-CBC-SHA
rt=1 rte=1 dht=1 ecdht=1 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0
0:[00000400:00000002:00000188:00000084]77dfe0:SRP-DSS-AES-128-CBC-SHA
rt=1 rte=1 dht=1 ecdht=1 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0
0:[00000400:00000001:00000188:00000084]77df88:SRP-RSA-AES-128-CBC-SHA
rt=1 rte=1 dht=1 ecdht=1 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0
0:[00000400:00000004:00000188:00000084]77df30:SRP-AES-128-CBC-SHA
write to 0x7e6f30 [0x7f5fd0] (7 bytes => 7 (0x7))
0000 - 15 03 01 00 02 02 28 ......(
ERROR
18446741324916266428:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no
shared cipher:s3_srvr.c:1306:
shutting down SSL
CONNECTION CLOSED
---------------------------------------------------------------
Client:
openssl s_client -srpuser SystemUser -srppass stdin -tls1 -cipher SRP -connect
localhost:57784 -debug
<SRP-DSS-AES-256-CBC-SHA>
<SRP-RSA-AES-256-CBC-SHA>
<SRP-AES-256-CBC-SHA>
<SRP-DSS-3DES-EDE-CBC-SHA>
<SRP-RSA-3DES-EDE-CBC-SHA>
<SRP-3DES-EDE-CBC-SHA>
<SRP-DSS-AES-128-CBC-SHA>
<SRP-RSA-AES-128-CBC-SHA>
<SRP-AES-128-CBC-SHA>
CONNECTED(00000003)
write to 0x7d23a0 [0x7f22e3] (90 bytes => 90 (0x5A))
0000 - 16 03 01 00 55 01 00 00-51 03 01 4e a8 bf bb 5d ....U...Q..N...]
0010 - 89 f9 aa ae 3f 5f df fd-dd 70 1c 4d c1 91 09 94 ....?_...p.M....
0020 - 84 47 2f 8e a7 99 d3 fe-73 6a e1 00 00 14 c0 22 .G/.....sj....."
0030 - c0 21 c0 20 c0 1c c0 1b-c0 1a c0 1f c0 1e c0 1d .!. ............
0040 - 00 ff 01 00 00 14 00 0c-00 0c 0a 53 79 73 74 65 ...........Syste
0050 - 6d 55 73 65 72 00 00 23- mUser..#
005a - <SPACES/NULS>
read from 0x7d23a0 [0x7edd83] (5 bytes => 5 (0x5))
0000 - 15 03 01 00 02 .....
read from 0x7d23a0 [0x7edd88] (2 bytes => 2 (0x2))
0000 - 02 28 .(
18446741324916266428:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert
handshake failure:s3_pkt.c:1227:SSL alert number 40
18446741324916266428:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
failure:s3_pkt.c:592:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1319681979
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
----- Original Message -----
> From: "Norm Green" <no...@vmware.com>
> To: openssl-users@openssl.org
> Sent: Tuesday, October 25, 2011 6:58:12 AM
> Subject: Re: OpenSSL 1.0.1 example with SRP
>
> Hi Peter,
>
> Same error on the server:
>
> normg@conifer>./srpserver
>
> Server is starting to listen on port 57784
>
> Server is starting accept on port 57784
> Connection accepted
> SSL_accept failed, error=SSL_ERROR_SSL
> Details: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared
> cipher
> s3_srvr.c at 1306
> /home/normg/gssua/srp
> normg@conifer>
>
>
>
> Client output:
>
> normg@conifer>$GEMSTONE/bin/openssl s_client -srpuser SystemUser
> -cipher SRP -connect localhost:57784
> CONNECTED(00000003)
> 18446741324916266428:error:14094410:SSL
> routines:SSL3_READ_BYTES:sslv3 alert handshake
> failure:s3_pkt.c:1227:SSL alert number 40
> 18446741324916266428:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl
> handshake failure:s3_pkt.c:592:
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 7 bytes and written 0 bytes
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol : TLSv1
> Cipher : 0000
> Session-ID:
> Session-ID-ctx:
> Master-Key:
> Key-Arg : None
> PSK identity: None
> PSK identity hint: None
> SRP username: None
> Start Time: 1319550564
> Timeout : 7200 (sec)
> Verify return code: 0 (ok)
> ---
>
>
> ----- Original Message -----
> > From: "Peter Sylvester" <peter.sylves...@gmail.com>
> > To: openssl-users@openssl.org
> > Sent: Tuesday, October 25, 2011 3:18:39 AM
> > Subject: Re: OpenSSL 1.0.1 example with SRP
> >
> > On 10/25/2011 05:15 AM, Norm Green wrote:
> > > Hello Experts,
> > >
> > > I'm new to OpenSSL so please bear with me.
> > >
> > > I'm trying to construct a simple example that uses a recent
> > > OpenSSL
> > > 1.0.1 snapshot to create secure connection using SRP without
> > > using
> > > any certificates. I am aware 1.0.1 is not yet released, but I've
> > > been told this should be possible.
> > try this first with s_client and s_server you need cipher SRP fo
> > them
> >
> > what happens when you connect to your server with
> >
> > openssl s_client -srpuser <USER> -cipher SRP -connect
> > server:port
> >
> >
> >
> > ______________________________________________________________________
> > OpenSSL Project
> > http://www.openssl.org
> > User Support Mailing List
> > openssl-users@openssl.org
> > Automated List Manager
> > majord...@openssl.org
> >
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
