Norm Green
2014-10-14 03:20:46 UTC
I'm using OpenSSL 1.0.1i built from sources on Linux. I'm trying to get
an ephemeral DH connection to work without certificates and having no
luck. I can only seem to get anonymous DH (ADH) to work.
I am using SSL_CTX_set_tmp_dh_callback() on the server to set the CB
function to create a DH by calling the code C generated by "openssl
dhparam -inform PEM -in ./openssl/apps/dh1024.pem -C".
That C code only sets p and g parameters but not the public/private
keys. Is that part of the problem?
When I call SSL_CTX_set_cipher_list('kEECDH:kEDH'), then I get a
connection but it uses this cipher: which is ADH not EDH:
"ADH-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=None Enc=AESGCM(256) Mac=AEAD"
If I instead call SSL_CTX_set_cipher_list('!ADH:kEECDH:kEDH') to
disallow ADH, then I get the infamous "no shared ciphers" error when I
call SSL_accept() / SSL_connect():
SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:1360:
In that case it does not even call the CB function! (see the server code
trace below).
I've tried calling SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE) but
that did not help.
Any idea where I'm going wrong?
Code trace from server side:
[ 1] SSL call: SSL_load_error_strings with args: NONE (nothing returned)
[ 2] SSL call: ERR_load_crypto_strings with args: NONE (nothing returned)
[ 3] SSL call: OpenSSL_add_all_ciphers with args: NONE (nothing returned)
[ 4] SSL call: OpenSSL_add_all_digests with args: NONE (nothing returned)
[ 5] SSL call: SSL_library_init with args: NONE result=1
[ 6] SSL call: RAND_status with args: NONE result=1
[ 7] SSL call: TLSv1_2_server_method with args: NONE result=0x7f22b72f2140
[ 8] SSL call: SSL_CTX_new with args: 0x7f22b72f2140 result=0x1c37ab0
[ 9] SSL call: SSL_CTX_ctrl with args: 0x1c37ab0 33 4 (NULL) result=4
[ 10] SSL call: SSL_CTX_set_verify with args: 0x1c37ab0 0 (NULL)
(nothing returned)
[ 11] SSL call: SSL_CTX_set_cipher_list with args: 0x1c37ab0
'!ADH:kEECDH:kEDH' result=1
[ 12] SSL call: SSL_CTX_set_tmp_dh_callback with args: 0x1c37ab0
0x7f22b7d1d361 (nothing returned)
[ 13] SSL call: SSL_CTX_ctrl with args: 0x1c37ab0 32 1048576 (NULL)
result=1048580
[ 14] SSL call: SSL_new with args: 0x1c37ab0 result=0x1c38290
[ 15] SSL call: SSL_set_fd with args: 0x1c38290 5 result=1
[ 16] SSL call: SSL_get_fd with args: 0x1c38290 result=5
[ 17] SSL call: ERR_clear_error with args: NONE (nothing returned)
[ 18] SSL call: SSL_accept with args: 0x1c38290 result=-1
[ 19] SSL call: SSL_get_error with args: 0x1c38290 -1 result=1
error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared
cipher:s3_srvr.c:1360:
Code trace from the client side:
[ 1] SSL call: SSL_load_error_strings with args: NONE (nothing returned)
[ 2] SSL call: ERR_load_crypto_strings with args: NONE (nothing returned)
[ 3] SSL call: OpenSSL_add_all_ciphers with args: NONE (nothing returned)
[ 4] SSL call: OpenSSL_add_all_digests with args: NONE (nothing returned)
[ 5] SSL call: SSL_library_init with args: NONE result=1
[ 6] SSL call: RAND_status with args: NONE result=1
[ 7] SSL call: TLSv1_2_client_method with args: NONE result=0x7f8533c55b40
[ 8] SSL call: SSL_CTX_new with args: 0x7f8533c55b40 result=0x16ba800
[ 9] SSL call: SSL_CTX_ctrl with args: 0x16ba800 33 4 (NULL) result=4
[ 10] SSL call: SSL_CTX_set_verify with args: 0x16ba800 0 (NULL)
(nothing returned)
[ 11] SSL call: SSL_CTX_set_cipher_list with args: 0x16ba800
'!ADH:kEECDH:kEDH' result=1
[ 12] SSL call: SSL_new with args: 0x16ba800 result=0x16bafe0
[ 13] SSL call: SSL_set_fd with args: 0x16bafe0 9 result=1
[ 14] SSL call: SSL_get_fd with args: 0x16bafe0 result=9
[ 15] SSL call: ERR_clear_error with args: NONE (nothing returned)
[ 16] SSL call: SSL_connect with args: 0x16bafe0 result=0
[ 17] SSL call: SSL_get_error with args: 0x16bafe0 0 result=1
error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
failure:s3_pkt.c:1275:SSL alert number 40
Thanks,
Norm Green
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org
an ephemeral DH connection to work without certificates and having no
luck. I can only seem to get anonymous DH (ADH) to work.
I am using SSL_CTX_set_tmp_dh_callback() on the server to set the CB
function to create a DH by calling the code C generated by "openssl
dhparam -inform PEM -in ./openssl/apps/dh1024.pem -C".
That C code only sets p and g parameters but not the public/private
keys. Is that part of the problem?
When I call SSL_CTX_set_cipher_list('kEECDH:kEDH'), then I get a
connection but it uses this cipher: which is ADH not EDH:
"ADH-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=None Enc=AESGCM(256) Mac=AEAD"
If I instead call SSL_CTX_set_cipher_list('!ADH:kEECDH:kEDH') to
disallow ADH, then I get the infamous "no shared ciphers" error when I
call SSL_accept() / SSL_connect():
SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:1360:
In that case it does not even call the CB function! (see the server code
trace below).
I've tried calling SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE) but
that did not help.
Any idea where I'm going wrong?
Code trace from server side:
[ 1] SSL call: SSL_load_error_strings with args: NONE (nothing returned)
[ 2] SSL call: ERR_load_crypto_strings with args: NONE (nothing returned)
[ 3] SSL call: OpenSSL_add_all_ciphers with args: NONE (nothing returned)
[ 4] SSL call: OpenSSL_add_all_digests with args: NONE (nothing returned)
[ 5] SSL call: SSL_library_init with args: NONE result=1
[ 6] SSL call: RAND_status with args: NONE result=1
[ 7] SSL call: TLSv1_2_server_method with args: NONE result=0x7f22b72f2140
[ 8] SSL call: SSL_CTX_new with args: 0x7f22b72f2140 result=0x1c37ab0
[ 9] SSL call: SSL_CTX_ctrl with args: 0x1c37ab0 33 4 (NULL) result=4
[ 10] SSL call: SSL_CTX_set_verify with args: 0x1c37ab0 0 (NULL)
(nothing returned)
[ 11] SSL call: SSL_CTX_set_cipher_list with args: 0x1c37ab0
'!ADH:kEECDH:kEDH' result=1
[ 12] SSL call: SSL_CTX_set_tmp_dh_callback with args: 0x1c37ab0
0x7f22b7d1d361 (nothing returned)
[ 13] SSL call: SSL_CTX_ctrl with args: 0x1c37ab0 32 1048576 (NULL)
result=1048580
[ 14] SSL call: SSL_new with args: 0x1c37ab0 result=0x1c38290
[ 15] SSL call: SSL_set_fd with args: 0x1c38290 5 result=1
[ 16] SSL call: SSL_get_fd with args: 0x1c38290 result=5
[ 17] SSL call: ERR_clear_error with args: NONE (nothing returned)
[ 18] SSL call: SSL_accept with args: 0x1c38290 result=-1
[ 19] SSL call: SSL_get_error with args: 0x1c38290 -1 result=1
error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared
cipher:s3_srvr.c:1360:
Code trace from the client side:
[ 1] SSL call: SSL_load_error_strings with args: NONE (nothing returned)
[ 2] SSL call: ERR_load_crypto_strings with args: NONE (nothing returned)
[ 3] SSL call: OpenSSL_add_all_ciphers with args: NONE (nothing returned)
[ 4] SSL call: OpenSSL_add_all_digests with args: NONE (nothing returned)
[ 5] SSL call: SSL_library_init with args: NONE result=1
[ 6] SSL call: RAND_status with args: NONE result=1
[ 7] SSL call: TLSv1_2_client_method with args: NONE result=0x7f8533c55b40
[ 8] SSL call: SSL_CTX_new with args: 0x7f8533c55b40 result=0x16ba800
[ 9] SSL call: SSL_CTX_ctrl with args: 0x16ba800 33 4 (NULL) result=4
[ 10] SSL call: SSL_CTX_set_verify with args: 0x16ba800 0 (NULL)
(nothing returned)
[ 11] SSL call: SSL_CTX_set_cipher_list with args: 0x16ba800
'!ADH:kEECDH:kEDH' result=1
[ 12] SSL call: SSL_new with args: 0x16ba800 result=0x16bafe0
[ 13] SSL call: SSL_set_fd with args: 0x16bafe0 9 result=1
[ 14] SSL call: SSL_get_fd with args: 0x16bafe0 result=9
[ 15] SSL call: ERR_clear_error with args: NONE (nothing returned)
[ 16] SSL call: SSL_connect with args: 0x16bafe0 result=0
[ 17] SSL call: SSL_get_error with args: 0x16bafe0 0 result=1
error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
failure:s3_pkt.c:1275:SSL alert number 40
Thanks,
Norm Green
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org