When testing s_server/s_client with ECDHE-RSA based ciphers - with any protocol version - on the OpenSSL 1.0.1m release - on x86_64 Fedora 16 the handshake fails with: 140305461679776:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:1389:
Example commands: s_server: ./openssl s_server -cert rsa1024TestServer.cert.pem -key rsa1024TestServer.key.pem -WWW -accept 4411 -cipher ECDHE-RSA-AES128-SHA -nbio -tls1_2 -debug -state s_client: echo "GET /file_1byte.html HTTP/1.0" | ./openssl s_client -host localhost -port 4411 -cipher ECDHE-RSA-AES128-SHA -tls1_2 -ign_eof -debug -state The issue has been tracked back to breaking on the following commit:- commit 059907771b89549cbd07a81df1a5bdf51e062066 Author: Matt Caswell <[email protected]> Date: Fri Feb 27 00:02:06 2015 +0000 Fix warning with no-ec This fixes another warning when config'd with no-ec Reviewed-by: Dr. Stephen Henson <[email protected]> And I have confirmed it has been broken by the following uninitialised variable: @@ -992,7 +992,10 @@ int MAIN(int argc, char *argv[]) int badop = 0, bugs = 0; int ret = 1; int off = 0; - int no_tmp_rsa = 0, no_dhe = 0, no_ecdhe = 0, nocert = 0; + int no_tmp_rsa = 0, no_dhe = 0, nocert = 0; +#ifndef OPENSSL_NO_ECDH + int no_ecdhe; <---------------- Should have been initialised to 0 +#endif Sorry I would have supplied the fix as a patch but I haven't got my head around how to do that yet. It is still broken in the latest 1.0.1-stable branch. I have checked the other branches and only 1.0.1-stable appears to be affected. Kind Regards, Steve Linsell Intel Shannon DCG/CID Software Development Team [email protected] -------------------------------------------------------------- Intel Shannon Limited Registered in Ireland Registered Office: Collinstown Industrial Park, Leixlip, County Kildare Registered Number: 308263 Business address: Dromore House, East Park, Shannon, Co. Clare This e-mail and any attachments may contain confidential material for the sole use of the intended recipient(s). Any review or distribution by others is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies. _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
