Re: [openssl-users] OpenSSL-1.1-pre5 SSL_CTX_set_tmp_dh_callback

2016-07-01 Thread pepone.onrez 
On 1 July 2016 at 12:31, Matt Caswell  wrote:
>
>
> On 01/07/16 11:24, pepone.onrez wrote:
>> Hi,
>>
>> I trying to update my software to use OpenSSL-1.1 and I having problems
>> with DH callbacks
>>
>> When build with 1.1.0-pre5 the callback set with SSL_CTX_set_tmp_dh_callback
>> is not being called, when using 1.0.x it is called as expected.
>>
>> I have build 1.1.0-pre5 from sources with default configuration, do I
>> need any special build option for this to work?
>>
>> In my test the server and client enables only ADH ciphers, I see the
>> following ciphers are enabled:
>
> 1.1.0 has the concept of security levels to stop you from accidentally
> configuring bad things. The default security level is 1. ADH ciphers are
> in security level 0 (because they are considered insecure) and are
> therefore disabled by default, i.e. even if you configure them, if the
> security level isn't right then they won't get used.
>
> To set the security level differently you can either append
> "@SECLEVEL=0" to the end of the cipher string, or call
> SSL_set_security_level()/SSL_CTX_set_security_level().
>
> See:
> https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_security_level.html
>
> and
>
> https://www.openssl.org/docs/manmaster/apps/ciphers.html
>
> Matt

Thanks Matt that was it, setting SECLEVEL=0" make the test work
>
>
>>
>>ADH-AES256-GCM-SHA384
>>ADH-AES128-GCM-SHA256
>>ADH-AES256-SHA256
>>ADH-CAMELLIA256-SHA256
>>ADH-AES128-SHA256
>>ADH-CAMELLIA128-SHA256
>>ADH-AES256-SHA
>>ADH-CAMELLIA256-SHA
>>ADH-AES128-SHA
>>ADH-SEED-SHA
>>ADH-CAMELLIA128-SHA
>>ADH-DES-CBC3-SHA
>>
>>
>> The connection fails with
>>
>> error # = 337002677
>> message = error:141640B5:SSL routines:tls_construct_client_hello:no
>> ciphers available
>>
>> I assume this is related to the DH callback not being called, and so
>> ADH ciphers cannot be used?
>>
>> Any ideas why the DH callback is not being called, as I say the code
>> works fine with all previous OpenSSL versions.
>>
>> Regards,
>> José
>>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] OpenSSL-1.1-pre5 SSL_CTX_set_tmp_dh_callback

2016-07-01 Thread Matt Caswell 


On 01/07/16 11:24, pepone.onrez wrote:
> Hi,
> 
> I trying to update my software to use OpenSSL-1.1 and I having problems
> with DH callbacks
> 
> When build with 1.1.0-pre5 the callback set with SSL_CTX_set_tmp_dh_callback
> is not being called, when using 1.0.x it is called as expected.
> 
> I have build 1.1.0-pre5 from sources with default configuration, do I
> need any special build option for this to work?
> 
> In my test the server and client enables only ADH ciphers, I see the
> following ciphers are enabled:

1.1.0 has the concept of security levels to stop you from accidentally
configuring bad things. The default security level is 1. ADH ciphers are
in security level 0 (because they are considered insecure) and are
therefore disabled by default, i.e. even if you configure them, if the
security level isn't right then they won't get used.

To set the security level differently you can either append
"@SECLEVEL=0" to the end of the cipher string, or call
SSL_set_security_level()/SSL_CTX_set_security_level().

See:
https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_security_level.html

and

https://www.openssl.org/docs/manmaster/apps/ciphers.html

Matt


> 
>ADH-AES256-GCM-SHA384
>ADH-AES128-GCM-SHA256
>ADH-AES256-SHA256
>ADH-CAMELLIA256-SHA256
>ADH-AES128-SHA256
>ADH-CAMELLIA128-SHA256
>ADH-AES256-SHA
>ADH-CAMELLIA256-SHA
>ADH-AES128-SHA
>ADH-SEED-SHA
>ADH-CAMELLIA128-SHA
>ADH-DES-CBC3-SHA
> 
> 
> The connection fails with
> 
> error # = 337002677
> message = error:141640B5:SSL routines:tls_construct_client_hello:no
> ciphers available
> 
> I assume this is related to the DH callback not being called, and so
> ADH ciphers cannot be used?
> 
> Any ideas why the DH callback is not being called, as I say the code
> works fine with all previous OpenSSL versions.
> 
> Regards,
> José
> 
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users