Hi there: I got a problem for upgrading openssl from 0.9.8l to 1.0.1b. Now I can repro the problem using s_server and s_client:
openssl s_server -ssl2 -cert ssl_server.pem -WWW -CAfile cafile.pem openssl s_client -connect localhost:4433 -no_ssl3 -no_tls1 -debug With 0.9.8l openssl, the above connection can be setup, and the ssl session protocol is SSLv2 This is the expected behavior, I am trying to setup a ssl connection with SSLv2 protocol. With 1.0.1b openssl, handshake fails, with the error message: client error message 4160554636:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177: server error message 4160554636:error:140EC0AF:SSL routines:SSL2_READ_INTERNAL:non sslv2 initial packet:s2_pkt.c:187: Then, I tested other combination of s_server and s_client for 1.0.1.b 1. openssl s_server -ssl2 -cert ssl_server.pem -WWW -CAfile cafile.pem openssl s_client -connect localhost:4433 -ssl2 -debug connection no problem, ssl session protocol is SSLv2 2. openssl s_server -ssl2 -cert ssl_server.pem -WWW -CAfile cafile.pem openssl s_client -connect localhost:4433 -no_ssl3 -no_tls -no_tls1_1 -no_tls1_2 -debug handshake fails, error message is the same as above. 3. openssl s_server -no_ssl3 -no_tls1 -no_tls1_2 -no_tls1_1 -cert ssl_server.pem -WWW -CAfile cafile.pem openssl s_client -connect localhost:4433 -no_ssl3 -no_tls1 -no_tls1_2 -no_tls1_1 -debug handshake fails Error message 4160554636:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:628: 4. apps/openssl s_server -no_ssl3 -no_tls1 -no_tls1_2 -no_tls1_1 -cert ssl_server.pem -WWW -CAfile cafile.pem openssl s_client -connect localhost:4433 -ssl2 -debug handshake fails client error message 4160554636:error:1406D0B8:SSL routines:GET_SERVER_HELLO:no cipher list:s2_clnt.c:450: server error message 4160554636:error:1406B0CB:SSL routines:GET_CLIENT_MASTER_KEY:peer error no cipher:s2_pkt.c:682: 4160554636:error:140780E5:SSL routines:SSL23_READ:ssl handshake failure:s23_lib.c:131: It looks like that to setup a SSLv2 protocol sesstion, the only way is to use -ssl2 for both s_server and s_client. However, in my application, I used "openssl s_server -ssl2 -cert ssl_server.pem -WWW -CAfile cafile.pem" as the server, but client using API. I use SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_protocolxxx) to isolate SSLv2 from other supported protocols. My question is how to setup a SSLv2 connection using the API in 1.0.1b to the openssl -s_server with -ssl2. I tried SSL_OP_NO_SSLv3 and SSL_OP_NO_TLSv1 and SSL_OP_NO_TLSv1_1 and SSL_OP_NO_TLSv1_2, it doesn't work. Wonder if it can be done just like what I did before in 0.9.8l. G.Y ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected]
