Maik Mueller <[EMAIL PROTECTED]> writes:
> Hello,
>
> First of all, sorry for opening this discussion again!
> But I want to ask a very precise question:
>
> I use SLCipherSuite NULL-MD5 (nothing else).
>
> Using an RSA Key/Cert it works:
> Init: Configuring server p24958:9443 for SSL protocol
> Init: (p24958:9443) Creating new SSL context (protocols: SSLv3)
> Init: (p24958:9443) Configuring permitted SSL ciphers [NULL-MD5]
> Init: (p24958:9443) Configuring RSA server certificate
> [...]
> Connection: Client IP: 155.56.94.132, Protocol: SSLv3, Cipher: NULL-MD5 (0/0
> bits)
>
> Using a DSA Key/Cert it does not work:
> Init: Configuring server p24958:9443 for SSL protocol
> Init: (p24958:9443) Creating new SSL context (protocols: SSLv3)
> Init: (p24958:9443) Configuring permitted SSL ciphers [NULL-MD5]
> Init: (p24958:9443) Configuring DSA server certificate
> [...]
> SSL handshake failed (server p24958:9443, client 155.56.94.132) (OpenSSL
> library error follows)
> OpenSSL: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
> [Hint: Too restrictive SSLCipherSuite or using DSA server certificate?]
>
> >From my point of view there is no reason why NULL-MD5 should not be a shared
> cipher in both cases (RSA and DSA).
There are no ciphersuites with DSA and NULL_MD5 defined by SSL.
Therefore it is not possible to negotiate them.
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
PureTLS - free SSLv3/TLS software for Java
http://www.rtfm.com/puretls/
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
