On 12/08/04 11:44 AM, Louis LeBlanc sat at the `puter and typed: > <SNIP> > > Ok, I finally figured this one out. > > It was the cipher list after all. > > My initial configuration used the list [EMAIL PROTECTED], which was intended > to maximize the list of ciphers used while giving preference to weaker > ciphers - to minimize overhead. Problem is the server in question was > choking on one of them before it got the one it liked. > > When I changed the cipher list to DEFAULT, it worked fine. Of course, > DEFAULT is normally defined as ALL:!ADH:RC4+RSA:+SSLv2:@STRENGTH. I > also tried a tweak to this list: ALL:RC4+RSA:+SSLv2:+ADH:@STRENGTH, > which also worked. So I'm speculating that there is some kind of hangup > with the ADH ciphers. I haven't kept up on them in the last several > years, but I seem to remember that they were nontrivial to generate > certs for and use. > > So that's it. Configuration error, and nothing wrong with OpenSSL or my > code :) > > Thanks Dr. Henson for providing feedback on this issue.
Turns out the client was configured even more narrowly than I initially realized. The ciphers being used were EXPORT only. Of course this leaves out the RC4+RSA ciphers altogether. Still leaves the question why OpenSSL couldn't report the fact that no cipher could be agreed upon. Is there any way I can catch that state? Lou -- Louis LeBlanc [EMAIL PROTECTED] Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://www.keyslapper.org ԿԬ ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]