On Thu, Jun 12, 2014 at 08:59:27PM +0200, Dr. Stephen Henson wrote: > > When I compile against "master", with the same configuration, I get > > on the server: > > > > SSL3 alert write:fatal:handshake failure > > SSL_accept:error in SSLv3 read client hello C > > error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared > > cipher:s3_srvr.c:1435: > > > > The 15 ciphers reported by: > > > > $ openssl ciphers -v 'aNULL:!EXPORT:!LOW:!eNULL:@STRENGTH' > > > > are somehow suppressed by the "master" client library. Is this > > somehow related to the new "security levels"? Something else? > > Yes. The default security levels disable anonymous ciphersuites. If you use > the new -s option to "ciphers" you'll see this. > > Setting the security level to zero either in the API of the cipherstring will > make them work again.
Is it OK to use the OPENSSL_TLS_SECURITY_LEVEL macro to detect the existence of security levels and conditionally compile code to set the default security level back to zero? #ifdef OPENSSL_TLS_SECURITY_LEVEL /* Backwards compatible security as a base for opportunistic TLS. */ SSL_CTX_set_security_level(client_ctx, 0); #endif Is there some other macro that is better for this? -- Viktor. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org