"C. Gould" wrote: > > On Thursday 26 July 2001 02:48 am, you wrote: > > Lutz Jaenicke wrote: > > > On Wed, Jul 25, 2001 at 11:22:09AM +1000, DT wrote: > > > > I have a simple server which I can connect to using the openssl > > > > client, and using Netscape no problems. > > > > > > > > MS Internet Explorer refuses to connect and I get the dreaded > > > > "no shared cipher" message on my server. > > > > > > > > Pointing IE to openssl s_server indicates it using EXP-RC4-MD5. > > > > I have tried setting ciphers with SSL_CTX_set_cipher_list() > > > > and the changes can be demonstrated with s_client but IE still > > > > fails. I can run c_client -cipher EXP-RC4-MD5 and it works > > > > just fine. What the hell does IE want? > > > > > > If I would have a simple answer, I would give it to you. > > > s_client will run with SSLv2-TLSv1 enabled (SSLv3/TLSv1 preferred), > > > so EXP-RC4-MD5 will be the SSLv3 version. > > > I have just tried with SSLv2 only, SSLv3 only etc and it seems to work > > > between s_client and s_server... > > > > > > Could you kindly perform an ssldump of the connection and post > > > the output? > > > > Well after messing around with it a whole heap, and getting the > > latest 0.9.6b (was 0.9.6) I can get s_client to fail when the > > server has SSLv23_server_method if I specify the particular > > > > cipher that IE tends to use. Here is the output: > > > % openssl s_client -connect localhost:8443 -cipher EXP-RC4-MD5 -debug > > > CONNECTED(00000003) > > > write to 08173FF8 [08176030] (49 bytes => 49 (0x31)) > > > 0000 - 80 2f 01 03 01 00 06 00-00 00 20 00 00 03 02 00 ./........ > ..... > > > 0010 - 80 3f 7e c8 31 79 0e 2e-e6 8a 8a 26 32 54 4f b7 > .?~.1y.....&2TO. > > > 0020 - fd c6 4f 63 98 36 94 87-56 d2 3e 4f a7 ae 0f 83 > ..Oc.6..V.>O.... > > > 0030 - cf . > > > read from 08173FF8 [0817B590] (7 bytes => 7 (0x7)) > > > 0000 - 15 03 01 00 02 02 28 ......( > > > 24993:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert > > > handshake failure:s23_clnt.c:455: > > > > And on the server: > > > error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher > > > > If I run it with -ssl2 it works. > > If I point IE at s_server, it works and uses TLSv1/SSLv3, EXP-RC4-MD5. > > Is there any other debug I can provide that will help? > > What verion of IE is are you using? I've run into problems using older > versions of IE that only support export ciphers. If you only have a 1024 > bit key you might want to trying using a 512 bit one and see if that fixes > your problem. From your output it looks like you are trying to use export > ciphers, but if you don't have a 512 bit key I don't think you'll get very > far. > Yep, that was it. I had a 1024 bit key. Changed it to 512 and now it works with IE out of the box. The latest upgrade to IE 5 service pack 2 also works with the 1024 bit key. Thanks heaps guys!! ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
