Re: Anonymous-only not working with master branch?

Thu, 12 Jun 2014 12:01:05 -0700 

On Thu, Jun 12, 2014, Viktor Dukhovni wrote:

> When I compile Postfix against OpenSSL 1.0.2-beta or earlier, and
> configure the SMTP server to not have any certificates, the Postfix
> client and server happily negotiate a suitable aNULL ciphersuite
> (e.g. AECDH-AES256-SHA).
> 
> When I compile against "master", with the same configuration, I get
> on the server:
> 
>     SSL3 alert write:fatal:handshake failure
>     SSL_accept:error in SSLv3 read client hello C
>     error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared 
> cipher:s3_srvr.c:1435:
> 
> The 15 ciphers reported by:
> 
> $ openssl ciphers -v 'aNULL:!EXPORT:!LOW:!eNULL:@STRENGTH'
> AECDH-AES256-SHA        SSLv3 Kx=ECDH     Au=None Enc=AES(256)  Mac=SHA1
> ADH-AES256-GCM-SHA384   TLSv1.2 Kx=DH       Au=None Enc=AESGCM(256) Mac=AEAD
> ADH-AES256-SHA256       TLSv1.2 Kx=DH       Au=None Enc=AES(256)  Mac=SHA256
> ADH-AES256-SHA          SSLv3 Kx=DH       Au=None Enc=AES(256)  Mac=SHA1
> ADH-CAMELLIA256-SHA     SSLv3 Kx=DH       Au=None Enc=Camellia(256) Mac=SHA1
> AECDH-AES128-SHA        SSLv3 Kx=ECDH     Au=None Enc=AES(128)  Mac=SHA1
> ADH-AES128-GCM-SHA256   TLSv1.2 Kx=DH       Au=None Enc=AESGCM(128) Mac=AEAD
> ADH-AES128-SHA256       TLSv1.2 Kx=DH       Au=None Enc=AES(128)  Mac=SHA256
> ADH-AES128-SHA          SSLv3 Kx=DH       Au=None Enc=AES(128)  Mac=SHA1
> ADH-SEED-SHA            SSLv3 Kx=DH       Au=None Enc=SEED(128) Mac=SHA1
> ADH-CAMELLIA128-SHA     SSLv3 Kx=DH       Au=None Enc=Camellia(128) Mac=SHA1
> AECDH-RC4-SHA           SSLv3 Kx=ECDH     Au=None Enc=RC4(128)  Mac=SHA1
> ADH-RC4-MD5             SSLv3 Kx=DH       Au=None Enc=RC4(128)  Mac=MD5
> AECDH-DES-CBC3-SHA      SSLv3 Kx=ECDH     Au=None Enc=3DES(168) Mac=SHA1
> ADH-DES-CBC3-SHA        SSLv3 Kx=DH       Au=None Enc=3DES(168) Mac=SHA1
> 
> are somehow suppressed by the "master" client library.  Is this
> somehow related to the new "security levels"?  Something else?
> 

Yes. The default security levels disable anonymous ciphersuites. If you use
the new -s option to "ciphers" you'll see this.

Setting the security level to zero either in the API of the cipherstring will
make them work again.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to