On 1/10/2012 11:38 AM, Peter Sylvester wrote:
an excerpt from rfc 5054 paragraph 3.3
If an attacker learns a user's SRP verifier (e.g., by gaining access
to a server's password file), the attacker can masquerade as the real
server to that user, and can also attempt a dictionary attack to
recover that user's password.
An attacker could repeatedly contact an SRP server and try to guess a
legitimate user's password. Servers SHOULD take steps to prevent
this, such as limiting the rate of authentication attempts from a
particular IP address or against a particular user name.
...
If the client receives an "unknown_psk_identity" alert in response to
a client hello, this alert may have been inserted by an attacker.
The client should be careful about making any decisions, or forming
any conclusions, based on receiving this alert
It seems the OP's problem on the client is that either OpenSSL never
*sends* that alert ("unknown_psk_identity"), or that OpenSSL chooses
to log and report that alert as something else.
It also seems that the OP's problem on the server is that OpenSSL
does not log and report this condition clearly at the server end, where
this condition is directly known.
As a professional, I realize the need in some situations not to tell the
remote client why they were rejected, but not telling the higher level
server code and thus the servers security officer is never a good idea.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
