Hello,
>
> To check if my client or server is causing the problem, I ran my client with
> s_server and ran my server with s_client.
> my client can connect to s_server without any trouble.
> But s_client can not connect to my server.
>
> Here is information s_client dumps on my screen:
> =================
> (urjit) test_app>openssl s_client -cipher 'EXP-DES-CBC-SHA' -connect
> localhost:7777 -verify client_cert/cacert.pem -cert
> client_cert/cli-cert.pem -crlf -key
> client_cert/cli-key.pem -ssl3 -debug -msg -state
> verify depth is 0
> CONNECTED(00000003)
> SSL_connect:before/connect initialization
> write to 0x80e6a10 [0x80f1768] (50 bytes => 50 (0x32))
> 0000 - 16 03 00 00 2d 01 00 00-29 03 00 44 ab 8b 5e db ....-...)..D..^.
> 0010 - df 4c 4d ff 08 f9 2b 85-9c 1e 1b 49 04 00 db 92 .LM...+....I....
> 0020 - 59 53 17 7c a7 45 98 ca-c6 33 48 00 00 02 00 08 YS.|.E...3H.....
> 0030 - 01 .
> 0032 - <SPACES/NULS>
> >>> SSL 3.0 Handshake [length 002d], ClientHello
> 01 00 00 29 03 00 44 ab 8b 5e db df 4c 4d ff 08
> f9 2b 85 9c 1e 1b 49 04 00 db 92 59 53 17 7c a7
> 45 98 ca c6 33 48 00 00 02 00 08 01 00
> SSL_connect:SSLv3 write client hello A
In this dump client sends ClientHello client_hello packet
with the following caracteristic:
01 - handshake type 1 message (client_hello)
000029 - length of packet (41 bytes)
0300 - SSL3 protocol proposition
44ab8...c63348 - client random (32 bytes)
00 - session id length (no session id here)
0002 - cipher suite length
0008 - proposed cipher: SSL3_CK_RSA_DES_40_CBC_SHA
01 - compresion methods length
00 - no compresion
> read from 0x80e6a10 [0x80ecf58] (5 bytes => 5 (0x5))
> 0000 - 15 03 00 00 02 .....
> read from 0x80e6a10 [0x80ecf5d] (2 bytes => 2 (0x2))
> 0000 - 02 28 .(
> <<< SSL 3.0 Alert [length 0002], fatal handshake_failure
> 02 28
In response to client_hello we received ALERT protocol message
(record header 15 03 00 00 02 means:
15 - alert protocol
0300 - SSL3 alert protocol
0002 - length of data (should be 2 - and it is :-)
and in ALERT data we have:
02 - serverity level: fatal
28 - description: handshake failure
this alert means that server can not accept client proposition
send in client_hello packet.
Client_hello packet here is very simple and in reality have only one
proposition: cipher suite SSL3_CK_RSA_DES_40_CBC_SHA.
For me this seems that server do not want to accept this
proposition because:
- do not have RSA support (maybe)
- do not have SHA support (maybe)
- do not have DES support (maybe) or DES40 is too weak.
Best regards,
--
Marek Marcola <[EMAIL PROTECTED]>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
