On Thu, Jun 12, 2014 at 08:59:27PM +0200, Dr. Stephen Henson wrote:
> > When I compile against "master", with the same configuration, I get
> > on the server:
> >
> > SSL3 alert write:fatal:handshake failure
> > SSL_accept:error in SSLv3 read client hello C
> > error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared
> > cipher:s3_srvr.c:1435:
> >
> > The 15 ciphers reported by:
> >
> > $ openssl ciphers -v 'aNULL:!EXPORT:!LOW:!eNULL:@STRENGTH'
> >
> > are somehow suppressed by the "master" client library. Is this
> > somehow related to the new "security levels"? Something else?
>
> Yes. The default security levels disable anonymous ciphersuites. If you use
> the new -s option to "ciphers" you'll see this.
>
> Setting the security level to zero either in the API of the cipherstring will
> make them work again.
Is it OK to use the OPENSSL_TLS_SECURITY_LEVEL macro to detect the
existence of security levels and conditionally compile code to set
the default security level back to zero?
#ifdef OPENSSL_TLS_SECURITY_LEVEL
/* Backwards compatible security as a base for opportunistic TLS. */
SSL_CTX_set_security_level(client_ctx, 0);
#endif
Is there some other macro that is better for this?
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
