dn Wed, Feb 09, 2005, Nauman Akbar wrote: > Dear Users, > > I am in urgent need of help. If anyone can guide, I will be very > thankful. I have given problem details below after necessary > introduction. > > I have scanned through the list archive as much as possible and I > could only find one message with similar problem. The message is > http://marc.theaimsgroup.com/?l=openssl-users&m=109629664621684&w=2 > Nobody replied to it. > I suspect this is with reference to DoS flaw (resolved on 17/03/2004) > but I am not sure. I am already upgrading my OpenSSL version to check > out. If anyone can help please respond. > > In my case, > - SSL_accept return -1 > - SSL_get_error returns SSL_EEROR_SSL > - SSL_error_string returns "error:00000001:lib(0):func(0):reason(1)" > - ERR_print_errors doesnot print anything so I presume queue is empty. > > The most intriguing part is when I was writing this server, I > developed a small client just to test connectivity. That client > succeeds. However, when doing live testing not a single connection was > accepted from outside. The test client was run on the same host. I > obtained network traffic using "ssldump" > (http://www.rtfm.com/ssldump/). Its dump is given below for a single > connection. > > System details are as follows: > - Linux (RH 9) > - OpenSSL 0.9.7a > - x86 box > > The ssldump gives > New TCP connection #144: w.x.y.z <-> a.b.c.d > 144 1 0.0872 (0.0872) C>SV3.0(57) Handshake > ClientHello > Version 3.0 > random[32]= > 42 0a 0e cb b1 24 f5 d0 9d b6 27 3b 40 bc e2 37 > 40 5d 24 05 c4 9b 31 d8 90 46 7b 28 c8 83 f5 c2 > cipher suites > Unknown value 0x3a > Unknown value 0x34 > SSL_DH_anon_WITH_3DES_EDE_CBC_SHA > SSL_DH_anon_WITH_DES_CBC_SHA > SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA > SSL_DH_anon_WITH_RC4_128_MD5 > SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 > compression methods > NULL > 144 2 0.0874 (0.0001) S>CV3.0(2) Alert > level fatal > value handshake_failure > 144 0.0875 (0.0001) S>C TCP FIN > 144 0.1368 (0.0492) C>S TCP FIN > Sometimes the last two lines of "TCP FIN" are there, sometimes not. I > am unable to obtain ssldump for test localhost client. > > Please guys, it is quite an urgent situation. Please respond quickly. >
If those are the only cipher suites the client is sending then you'll need to set some DH parameters and enable anon-DH in the cipher string. It must also be a non standard client to only support anon-DH. You can simulate that situation using: openssl s_client -cipher ADH:@STRENGTH [other options] Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
