On Wed, Jan 04, 2006, Samy Thiyagarajan wrote:
> Hi,
>
> I still cudnt get rid of the error
>
> SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:888
>
> I have given below the code. I understansd that I missed something or Im
> wrong with the logic itself. Can some make thigns clear? It would be of
> GREAT help.
>
> --------------------------------
> SSL* ssl ;
> SSL_CTX* cxt;
> BIO* client_bio;
>
>
> // Initialize
>
> OpenSSL_add_ssl_algorithms();
> SSL_load_error_strings(); /* readable error messages */
> SSL_library_init();
>
>
> // load the certificate and private key
> cxt = ssl_initialize_context( SERVER_KEYFILE, SERVER_KEYFILE );
>
>
> // load dh parameters
>
> DH *ret=0;
> BIO *bio;
>
> if ((bio=BIO_new_file(DHFILE,"r")) == NULL)
> FatalError("Couldn't open DH file");
>
> ret=PEM_read_bio_DHparams(bio,NULL,NULL,NULL);
> BIO_free(bio);
> if(SSL_CTX_set_tmp_dh(ctx,ret)<0){
> FatalError("Couldn't set DH parameters");
> }
>
>
> // generate eph RSA key
>
> RSA *rsa;
>
> rsa=RSA_generate_key(512,RSA_F4,NULL,NULL);
>
> if (!SSL_CTX_set_tmp_rsa(ctx,rsa)) {
> FatalError("Couldn't set RSA key");
> }
> RSA_free(rsa);
>
>
>
> // set the cipher list
> SSL_CTX_set_cipher_list( ctx, "ALL:eNULL" );
>
>
> *****
> A TCP socket is created and connection is accepted.
> *****
>
>
> client_bio = BIO_new_socket( clientSocket, BIO_NOCLOSE );
> ssl = SSL_new( ctx );
> SSL_set_bio( ssl, client_bio, client_bio );
>
>
> // SSL accept
>
> if ( !SSL_accept(ssl) ) {
> FatalError("ERROR in SSL_accept\n");
> }
> --------------------------------------------------------------------
>
> The function SSL_CTX_set_cipher_list() returns 1.
>
You haven't specified any server certificate in the server code. That means
that all the authenticated ciphersuites will be unavailable. That may be the
problem in itself if the client only supports authenticated ciphersuites (most
web browsers for example).
By default the unauthenticated ciphersuites (anon-DH) are disabled and need to
be specifically enabled in the cipher list.
You've done that above. Note: you should really have an @STRENGTH at the end of
the cipher list.
So that leaves the client. Whatever you are connecting this to may not support
anon DH ciphersuites of have them disabled by default. If you are using
s_client for example you'll need to explicitly enable them with the -cipher
option.
Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
