Hello,
> >For me this seems that server do not want to accept this
> >proposition because:
> > - do not have RSA support (maybe)
> > - do not have SHA support (maybe)
> > - do not have DES support (maybe) or DES40 is too
> weak.
> >
> >Best regards,
> >--
> >Marek Marcola <[EMAIL PROTECTED]>
>
> Well ... as per my understanding, the cipher support is
> property of the crypto library. And my client and server both
> use the same crypto library. So I wonder why would the server
> reject the clients request.
Yes, but you have control what ciphers should be used.
But after some testing I think that incompatible SSL3/TLS1
method may cause problem (as suggested by girish1729).
For example, running server with command:
$ openssl s_server -key key.pem -cert cert.pem -tls1
and then running client:
$ openssl s_client -cipher 'EXP-DES-CBC-SHA' -ssl3 -debug
CONNECTED(00000003)
write to 0989A390 [098A4F58] (50 bytes => 50 (0x32))
0000 - 16 03 00 00 2d 01 00 00-29 03 00 44 b2 8b bd
f6 ....-...)..D....
0010 - 7a 77 a4 34 94 e2 6a e4-56 8a 45 a4 f2 c0 d4 25
zw.4..j.V.E....%
0020 - 1e 09 b4 0f 34 11 60 e0-64 9d 4a 00 00 02 00
08 ....4.`.d.J.....
0030 - 01 .
0032 - <SPACES/NULS>
read from 0989A390 [098A0748] (5 bytes => 5 (0x5))
0000 - 15 03 00 00 02 .....
read from 0989A390 [098A074D] (2 bytes => 2 (0x2))
0000 - 02 28 .(
8067:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
failure:s3_pkt.c:1052:SSL alert number 40
8067:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
failure:s3_pkt.c:529:
we have this kind of error like in your post.
And on server side we see:
8064:error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version
number:s3_srvr.c:685:
> Are there any APIs that I can use in my server to get more
> debug information? Is it possible for me to enable/disable
> logging in the crypto library?
My suggestion is to display errors after bad SSL_accept()
in server code, for example:
char buf[256];
u_long err;
while ((err = ERR_get_error()) != 0) {
ERR_error_string_n(err, buf, sizeof(buf));
fprintf(stderr, "%s", buf);
}
other methods may be callback function at state or msg layer.
> Also, as we are on the topic, where could I get the
> information about the messages exchanged between server and
> client? The way you explained the data was really helpful.
RFC is ok but very boring :-)
My suggestion it to look at book "SSL and TLS Essentials"
by Stephen Thomas (WILEY) - very good book.
Best regards,
--
Marek Marcola <[EMAIL PROTECTED]>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
