[openssl-users] Failed TLSv1.2 handshake

Viktor Dukhovni openssl-users at dukhovni.org
Tue Dec 8 01:49:24 UTC 2015


On Mon, Dec 07, 2015 at 10:46:26PM +0000, Nounou Dadoun wrote:

> The cipher setting on the server is:
> SSL_CTX_set_cipher_list(pSslContext->GetNativeRef().impl(),  "ALL:SEED:!EXPORT:!LOW:!DES:!RC4");

Note, your cipher setting is likely not what you intend it to be,
instead try:

	"DEFAULT:!EXPORT:!LOW:!RC4:+SEED"

Unless you know what you're doing in enabling anonymous ciphers.
Also note the difference between ":SEED" and ":+SEED".

You're also using a version 1 server certificate with a public
exponent of "3".  This is a really bad idea.  You've not defined
any DH or ECDH parameters, so the cipher selected uses RSA key
transport, not a good idea, but should work barring bugs on either
side.

> Any suggestions?  Is it possible that we've selected a cipher setting which is not compiled in?

No, that gives you plenty of ciphers (more than you need).  Perhaps
the client is buggy.  Have you tried OpenSSL 1.0.2e?  What software
is the client running?

In any case, there are enough red flags all over the place that
make it likely that other mistakes are being made.

-- 
	Viktor.


More information about the openssl-users mailing list