>From: owner-openssl-us...@openssl.org On Behalf Of Jack Trades
>Sent: Thursday, 14 June, 2012 16:18
>I have an asynchronous win32 websocket server (written in C/C++
>using MSVS 2010) application that I now want to support WSS -
>a WebSocket Secure connection. To accomplish this, I added
>openssl to my application. However, when the client tries to
>connect to my webserver, openssl is rejecting the client
>during the initial handshake with the following error:
>13500:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:
>unknown protocol:.\ssl\s23_clnt.c:683:
This is a client-side error and should never occur on a server.
Are you doing SSL_accept or SSL_set_accept_state on the SSL
object(s) you create for specific connections ?
>Here is some other info to help in uncovering the cause for this error:
>* openssl version - OpenSSL 1.0.0d 8 Feb 2011
>* I am testing locally using the latest Firefox/chrome browsers.
IP=127.0.0.1 Port=8181
Note at the app level (not SSL level) browsers like IE FF Chrome,
and some but not all other clients, want or require the host
in the URL to match the subjectDN (or SAN) in the cert.
>* I created my own certificates for testing
<snip: usual selfsign root,server,client; also>
> >openssl dhparam -check -text -5 512 -out dh512.pem
> >openssl dhparam -check -text -5 1024 -out dh1024.pem
If you want/need actual security, don't use DH-512 except for
old export suites and don't use old export suites at all.
>* I setup the SSL_CTX for the server as follows:
> ctx = SSL_CTX_new (SSLv23_method ());
> if (ctx == NULL) {...
> // Load the trusted certificates from rootcert.pem
> if (SSL_CTX_load_verify_locations(ctx, CAFILE, CADIR) != 1) { ...
> // Load the built-in certificate stores.
> if (SSL_CTX_set_default_verify_paths(ctx) != 1) { ...
set_default_verify replaces the settings from load_verify,
so OpenSSL will use only the default store and unless you
have your root cert (or any other needed root(s)) there
the server won't verify your client(s). Generally you should
use set_default only if you have no app-specific truststore,
or you supposedly have one but it gets an error and you want
to proceed rather than demanding a fix.
> // Incorporate certificate information into the SSL_CTX by loading
> // a chain of certificates from the specified file name
> if (SSL_CTX_use_certificate_chain_file (ctx, SERVER_CERTFILE) != 1) { ...
The server cert you created above has no intermediate(s) and thus
doesn't need _use_cert_chain, only _use_cert. But _use_chain works
here, and also in other situations that do have real chains.
> // Set password required to decrypt an encrypted private key
> SSL_CTX_set_default_passwd_cb(ctx, passwd_cb);
> // Load in the application's private key
> if (SSL_CTX_use_PrivateKey_file (ctx, SERVER_CERTFILE, SSL_FILETYPE_PEM)
!= 1) { ...
> // Have the server request a certificate fom the client.
> // or if no certificate supplied.
> SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, verify_callback);
> // Set the maximum depth for verification.
> SSL_CTX_set_verify_depth(ctx, 4);
This setting >requests< client auth (cert plus proof), but
accepts connection if none is supplied. Is that what you want?
> // Enable all bug workarounds, disable SSL version 2, and recompute the
private
> // part of the DH exchange for each client connecting.
> SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 |
SSL_OP_SINGLE_DH_USE);
> SSL_CTX_set_tmp_dh_callback(ctx, tmp_dh_callback);
I assume this callback uses the dh-param files you created above.
If you prohibit export suites, you could set DH-1024 statically.
> if (SSL_CTX_set_cipher_list(ctx, CIPHER_LIST) != 1) { ...
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
