On Thu, Aug 07, 2014, Norm Green wrote: > I just upgraded our product to 1.0.1i and logins via SRP are now > broken. Shown below are the SSL calls made from both the client and > server. Everything worked perfectly under 1.0.1h. > Bot sides set the cipher list to 'SRP' via calls to > SSL_CTX_set_cipher_list(), so the "no shared cipher" complaint after > line 31 on the server side is clearly bogus. >
Well maybe, maybe not. Just because a ciphersuite is included in the cipherlist doesn't mean it is included or could be selected. For example if you set a ciphersuite which uses ECDSA authentication it wont be selected if the server doesn't include an ECDSA certificate. That might be what is happening here: the ciphersuite is being (incorrectly) excluded either client or server side. > Any idea where to begin debugging this? Any and all help is appreciated. > Can you reproduce this with s_client and s_server? Can you try a 1.0.1i client versus a 1.0.1h server and vice-versa? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
