Hello Experts,
I'm new to OpenSSL so please bear with me.
I'm trying to construct a simple example that uses a recent OpenSSL 1.0.1
snapshot to create secure connection using SRP without using any certificates.
I am aware 1.0.1 is not yet released, but I've been told this should be
possible.
Here's how I'm setting up the client:
srpclient.c:
SSL_load_error_strings();
OpenSSL_add_all_ciphers();
OpenSSL_add_all_digests();
(void) SSL_library_init(); // always succeeds per man page
const SSL_METHOD *meth = TLSv1_client_method();
SSL_CTX *ctx = SSL_CTX_new(meth);
SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2);
SSL_CTX_SRP_CTX_init(ctx);
if (SSL_CTX_set_cipher_list(ctx, "aNULL:!eNULL:!LOW:!EXPORT:@STRENGTH") != 1)
handleError("SSL_CTX_set_cipher_list failed");
if (SSL_CTX_set_srp_username(ctx, (char *) USER_NAME) != 1)
handleError("SSL_CTX_set_srp_username failed");
if (SSL_CTX_set_srp_password(ctx, (char *) PASSWORD) != 1)
handleError("SSL_CTX_set_srp_password failed");
if (SSL_CTX_set_srp_strength(ctx, 1024) != 1)
handleError("SSL_CTX_set_srp_strength failed");
SSL *ssl = SSL_new(ctx);
if (ssl == NULL)
handleError("SSL_new failed");
if (SSL_set_fd(ssl, sock) != 1)
handleError("SSL_set_fd failed");
int rc = SSL_connect(ssl);
=================================
and here is the server side:
=================================
srpserver.c:
SSL_load_error_strings();
OpenSSL_add_all_ciphers();
OpenSSL_add_all_digests();
(void) SSL_library_init(); // always succeeds per man page
// const SSL_METHOD *meth = SSLv23_server_method();
const SSL_METHOD *meth = TLSv1_server_method();
SSL_CTX *ctx = SSL_CTX_new(meth);
SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2);
SSL_CTX_SRP_CTX_init(ctx);
if (SSL_CTX_set_cipher_list(ctx, "aNULL:!eNULL:!LOW:!EXPORT:@STRENGTH") != 1)
handleError("SSL_CTX_set_cipher_list failed");
SSL *ssl = SSL_new(ctx);
if (ssl == NULL) {
handleError("SSL_new() failed");
}
if (SSL_set_fd(ssl, sock) != 1)
handleError("SSL_set_fd failed");
if (SSL_set_srp_server_param_pw(ssl, USER_NAME, PASSWORD, "1024") != 1)
handleError("SSL_set_srp_server_param_pw failed");
int rc = SSL_accept(ssl);
=========================
On the server side I get this output:
normg@conifer>./srpserver
Server is starting to listen on port 57784
Server is starting accept on port 57784
TCP/IP Connection accepted
SSL_accept failed, error=SSL_ERROR_SSL
Details: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
s3_srvr.c at 1306
============================
and on the client I get:
normg@conifer>./srpclient
TCP/IP connect succeeded
SSL_connect failed, error=SSL_ERROR_SSL
Details: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
failure
s3_pkt.c at 1227
I've tried using various SSL methods such as SSLv3 and TLS_1_1, but I always
get the same error.
It looks to me like the client still wants a cert from the server.
Another strange thing is that the following output seems to indicate the SRP
ciphers seem to need SSLv3 instead of TLS1.x :
normg@conifer>./openssl ciphers -v 'ALL:eNULL' |grep -i SRP
SRP-DSS-AES-256-CBC-SHA SSLv3 Kx=SRP Au=DSS Enc=AES(256) Mac=SHA1
SRP-RSA-AES-256-CBC-SHA SSLv3 Kx=SRP Au=RSA Enc=AES(256) Mac=SHA1
SRP-AES-256-CBC-SHA SSLv3 Kx=SRP Au=None Enc=AES(256) Mac=SHA1
SRP-DSS-3DES-EDE-CBC-SHA SSLv3 Kx=SRP Au=DSS Enc=3DES(168) Mac=SHA1
SRP-RSA-3DES-EDE-CBC-SHA SSLv3 Kx=SRP Au=RSA Enc=3DES(168) Mac=SHA1
SRP-3DES-EDE-CBC-SHA SSLv3 Kx=SRP Au=None Enc=3DES(168) Mac=SHA1
SRP-DSS-AES-128-CBC-SHA SSLv3 Kx=SRP Au=DSS Enc=AES(128) Mac=SHA1
SRP-RSA-AES-128-CBC-SHA SSLv3 Kx=SRP Au=RSA Enc=AES(128) Mac=SHA1
SRP-AES-128-CBC-SHA SSLv3 Kx=SRP Au=None Enc=AES(128) Mac=SHA1
normg@conifer>./openssl version
OpenSSL 1.0.1-dev xx XXX xxxx
Can anyone point me the right direction so I can get a simple SRP example to
work?
Thanks for any help,
Norm Green
VMware, Inc.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
