>From: owner-openssl-us...@openssl.org On Behalf Of Jack Trades >Sent: Thursday, 14 June, 2012 16:18
>I have an asynchronous win32 websocket server (written in C/C++ >using MSVS 2010) application that I now want to support WSS - >a WebSocket Secure connection. To accomplish this, I added >openssl to my application. However, when the client tries to >connect to my webserver, openssl is rejecting the client >during the initial handshake with the following error: >13500:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO: >unknown protocol:.\ssl\s23_clnt.c:683: This is a client-side error and should never occur on a server. Are you doing SSL_accept or SSL_set_accept_state on the SSL object(s) you create for specific connections ? >Here is some other info to help in uncovering the cause for this error: >* openssl version - OpenSSL 1.0.0d 8 Feb 2011 >* I am testing locally using the latest Firefox/chrome browsers. IP=127.0.0.1 Port=8181 Note at the app level (not SSL level) browsers like IE FF Chrome, and some but not all other clients, want or require the host in the URL to match the subjectDN (or SAN) in the cert. >* I created my own certificates for testing <snip: usual selfsign root,server,client; also> > >openssl dhparam -check -text -5 512 -out dh512.pem > >openssl dhparam -check -text -5 1024 -out dh1024.pem If you want/need actual security, don't use DH-512 except for old export suites and don't use old export suites at all. >* I setup the SSL_CTX for the server as follows: > ctx = SSL_CTX_new (SSLv23_method ()); > if (ctx == NULL) {... > // Load the trusted certificates from rootcert.pem > if (SSL_CTX_load_verify_locations(ctx, CAFILE, CADIR) != 1) { ... > // Load the built-in certificate stores. > if (SSL_CTX_set_default_verify_paths(ctx) != 1) { ... set_default_verify replaces the settings from load_verify, so OpenSSL will use only the default store and unless you have your root cert (or any other needed root(s)) there the server won't verify your client(s). Generally you should use set_default only if you have no app-specific truststore, or you supposedly have one but it gets an error and you want to proceed rather than demanding a fix. > // Incorporate certificate information into the SSL_CTX by loading > // a chain of certificates from the specified file name > if (SSL_CTX_use_certificate_chain_file (ctx, SERVER_CERTFILE) != 1) { ... The server cert you created above has no intermediate(s) and thus doesn't need _use_cert_chain, only _use_cert. But _use_chain works here, and also in other situations that do have real chains. > // Set password required to decrypt an encrypted private key > SSL_CTX_set_default_passwd_cb(ctx, passwd_cb); > // Load in the application's private key > if (SSL_CTX_use_PrivateKey_file (ctx, SERVER_CERTFILE, SSL_FILETYPE_PEM) != 1) { ... > // Have the server request a certificate fom the client. > // or if no certificate supplied. > SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, verify_callback); > // Set the maximum depth for verification. > SSL_CTX_set_verify_depth(ctx, 4); This setting >requests< client auth (cert plus proof), but accepts connection if none is supplied. Is that what you want? > // Enable all bug workarounds, disable SSL version 2, and recompute the private > // part of the DH exchange for each client connecting. > SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_SINGLE_DH_USE); > SSL_CTX_set_tmp_dh_callback(ctx, tmp_dh_callback); I assume this callback uses the dh-param files you created above. If you prohibit export suites, you could set DH-1024 statically. > if (SSL_CTX_set_cipher_list(ctx, CIPHER_LIST) != 1) { ... ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org