RE: strange problem of no shared cipher for no certificate TLS connection
Hi, Steve, Thanks for your reply. I found no use to add dhparam file to my server and client. The connection still could not be setup. I found if I set server certificate and private key, the connection could be setup. That is, server certificate is required even I used SSL_CTX_set_verify to set both server and client mode to SSL_VERIFY_NONE. That realy makes me confused. I am using TLSv1 method. And I set ciphersuite to ALL:+ADH:+aNULL:+NULL:+eNULL with SSL_CTX_set_cipher_list(), but the connection still could not be setup without server certificate. Is there anything I can do? Thanks, Roger -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dr. Stephen Henson Sent: Friday, April 14, 2006 11:59 PM To: openssl-users@openssl.org Subject: Re: strange problem of no shared cipher for no certificate TLS connection On Fri, Apr 14, 2006, Zhang, Long (Roger) wrote: Hi, I developed an application based on ACE_SSL which based on openssl. I found I could not set up a TLS connection with no certificate verification. That is I just want a TLS connection without certificate. I used the same cipherlist and rand file with openssl command, while openssl command could succeeded to setup a TLS connection, but my application always failed with SSL3_GET_CLIENT_HELLO:no shared cipher error. The FAQ question about no shared ciphers is relevant here. Although this refers to DSA certificates the comments also apply to no certificates: http://www.openssl.org/support/faq.html#USER8 Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: strange problem of no shared cipher for no certificate TLS connection
On Mon, Apr 17, 2006 at 10:20:14AM +0800, Zhang, Long (Roger) wrote: Hi, Steve, Thanks for your reply. I found no use to add dhparam file to my server and client. The connection still could not be setup. I found if I set server certificate and private key, the connection could be setup. That is, server certificate is required even I used SSL_CTX_set_verify to set both server and client mode to SSL_VERIFY_NONE. That realy makes me confused. I am using TLSv1 method. And I set ciphersuite to ALL:+ADH:+aNULL:+NULL:+eNULL with SSL_CTX_set_cipher_list(), but the connection still could not be setup without server certificate. Is there anything I can do? Try: setting the ciphersuite to ADH. Also, test with s_server and s_client. $ openssl s_server -nocert -cipher ADH -accept 12345 ... $ openssl s_client -cipher ADH -connect 127.0.0.1:12345 CONNECTED(0003) -BEGIN SSL SESSION PARAMETERS- MHUCAQECAgMBBAIAOgQgb5EGFC/WTA2O7JYVFxiDqSW4om3UXYWwmFTpu7WKftIE ME0jydMKoAZxK1cW+QHIF8aYN+ev0CakDWc1PyAiSIeMWTwPsYYRh9rlSp3Xk+uE 86EGAgREQv41ogQCAgEspAYEBAE= -END SSL SESSION PARAMETERS- Shared ciphers:ADH-AES256-SHA:ADH-AES128-SHA:ADH-DES-CBC3-SHA:ADH-DES-CBC-SHA:EXP-ADH-DES-CBC-SHA:ADH-RC4-MD5:EXP-ADH-RC4-MD5 CIPHER is ADH-AES256-SHA --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 291 bytes and written 198 bytes --- New, TLSv1/SSLv3, Cipher is ADH-AES256-SHA SSL-Session: Protocol : TLSv1 Cipher: ADH-AES256-SHA Session-ID: 6F9106142FD64C0D8EEC9615171883A925B8A26DD45D85B09854E9BBB58A7ED2 Session-ID-ctx: Master-Key: 4D23C9D30AA006712B5716F901C817C69837E7AFD026A40D67353F202248878C593C0FB1861187DAE54A9DD793EB84F3 Key-Arg : None Start Time: 1145241141 Timeout : 300 (sec) Verify return code: 0 (ok) --- This is an example of a working ADH handshake. Figure out where your application differs from s_client and s_server. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: strange problem of no shared cipher for no certificate TLS connection
Hi, I have tried to set ciphersuite to ADH. And I checked my application with s_server.c and s_client.c. When -nocert is set for openssl server, the certificate is not loaded. My application also does not load any certificate. But my connection still could not be setup without server certificate. Roger -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Victor Duchovni Sent: Monday, April 17, 2006 11:09 AM To: openssl-users@openssl.org Subject: Re: strange problem of no shared cipher for no certificate TLS connection On Mon, Apr 17, 2006 at 10:20:14AM +0800, Zhang, Long (Roger) wrote: Hi, Steve, Thanks for your reply. I found no use to add dhparam file to my server and client. The connection still could not be setup. I found if I set server certificate and private key, the connection could be setup. That is, server certificate is required even I used SSL_CTX_set_verify to set both server and client mode to SSL_VERIFY_NONE. That realy makes me confused. I am using TLSv1 method. And I set ciphersuite to ALL:+ADH:+aNULL:+NULL:+eNULL with SSL_CTX_set_cipher_list(), but the connection still could not be setup without server certificate. Is there anything I can do? Try: setting the ciphersuite to ADH. Also, test with s_server and s_client. $ openssl s_server -nocert -cipher ADH -accept 12345 ... $ openssl s_client -cipher ADH -connect 127.0.0.1:12345 CONNECTED(0003) -BEGIN SSL SESSION PARAMETERS- MHUCAQECAgMBBAIAOgQgb5EGFC/WTA2O7JYVFxiDqSW4om3UXYWwmFTpu7WKftIE ME0jydMKoAZxK1cW+QHIF8aYN+ev0CakDWc1PyAiSIeMWTwPsYYRh9rlSp3Xk+uE 86EGAgREQv41ogQCAgEspAYEBAE= -END SSL SESSION PARAMETERS- Shared ciphers:ADH-AES256-SHA:ADH-AES128-SHA:ADH-DES-CBC3-SHA:ADH-DES -CBC-SHA:EXP-ADH-DES-CBC-SHA:ADH-RC4-MD5:EXP-ADH-RC4-MD5 CIPHER is ADH-AES256-SHA --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 291 bytes and written 198 bytes --- New, TLSv1/SSLv3, Cipher is ADH-AES256-SHA SSL-Session: Protocol : TLSv1 Cipher: ADH-AES256-SHA Session-ID: 6F9106142FD64C0D8EEC9615171883A925B8A26DD45D85B09854E9BBB58A7ED2 Session-ID-ctx: Master-Key: 4D23C9D30AA006712B5716F901C817C69837E7AFD026A40D67353F20224887 8C593C0FB1861187DAE54A9DD793EB84F3 Key-Arg : None Start Time: 1145241141 Timeout : 300 (sec) Verify return code: 0 (ok) --- This is an example of a working ADH handshake. Figure out where your application differs from s_client and s_server. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: strange problem of no shared cipher for no certificate TLS connection
On Mon, Apr 17, 2006 at 11:12:41AM +0800, Zhang, Long (Roger) wrote: Hi, I have tried to set ciphersuite to ADH. And I checked my application with s_server.c and s_client.c. When -nocert is set for openssl server, the certificate is not loaded. My application also does not load any certificate. But my connection still could not be setup without server certificate. Now you should read the source code for s_server (and s_client), and see where your code differs. Clearly the library supports ADH connections. If your application fails to do so, you are not making the right library calls. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: strange problem of no shared cipher for no certificate TLS connection
On Fri, Apr 14, 2006, Zhang, Long (Roger) wrote: Hi, I developed an application based on ACE_SSL which based on openssl. I found I could not set up a TLS connection with no certificate verification. That is I just want a TLS connection without certificate. I used the same cipherlist and rand file with openssl command, while openssl command could succeeded to setup a TLS connection, but my application always failed with SSL3_GET_CLIENT_HELLO:no shared cipher error. The FAQ question about no shared ciphers is relevant here. Although this refers to DSA certificates the comments also apply to no certificates: http://www.openssl.org/support/faq.html#USER8 Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: strange problem of no shared cipher for no certificate TLS connection
Hello. I developed an application based on ACE_SSL which based on openssl. I found I could not set up a TLS connection with no certificate verification. That is I just want a TLS connection without certificate. Anonymous ciphers are disabled by default in OpenSSL (default: ALL:!ADH:+RC4:@STRENGTH). You should enable ADH on client _and_ on server side. These may be done with SSL_CTX_set_cipher_list(). I used the same cipherlist and rand file with openssl command, while openssl command could succeeded to setup a TLS connection, but my application always failed with SSL3_GET_CLIENT_HELLO:no shared cipher error. successful openssl command On server side openssl s_server -accept 25062 -nocert -cipher aNULL -rand /home/zhangl/openssl/test/ca.bak/newcerts/01.pem On client side openssl s_client -connect gdcqd1:25062 -cipher aNULL -rand /home/zhangl/openssl/test/ca.bak/newcerts/01.pem Removing aNULL on any side will break TLS handshake. Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]