On Thu, Jun 12, 2014, Viktor Dukhovni wrote: > On Thu, Jun 12, 2014 at 08:59:27PM +0200, Dr. Stephen Henson wrote: > > > > When I compile against "master", with the same configuration, I get > > > on the server: > > > > > > SSL3 alert write:fatal:handshake failure > > > SSL_accept:error in SSLv3 read client hello C > > > error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared > > > cipher:s3_srvr.c:1435: > > > > > > The 15 ciphers reported by: > > > > > > $ openssl ciphers -v 'aNULL:!EXPORT:!LOW:!eNULL:@STRENGTH' > > > > > > are somehow suppressed by the "master" client library. Is this > > > somehow related to the new "security levels"? Something else? > > > > Yes. The default security levels disable anonymous ciphersuites. If you use > > the new -s option to "ciphers" you'll see this. > > > > Setting the security level to zero either in the API of the cipherstring > > will > > make them work again. > > Is it OK to use the OPENSSL_TLS_SECURITY_LEVEL macro to detect the > existence of security levels and conditionally compile code to set > the default security level back to zero? > > #ifdef OPENSSL_TLS_SECURITY_LEVEL > /* Backwards compatible security as a base for opportunistic TLS. */ > SSL_CTX_set_security_level(client_ctx, 0); > #endif > > Is there some other macro that is better for this? >
I'd reccomend any of the SSL_SECOP_* values such as SSL_SECOP_PEER. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
