[openssl-users] AECDH problem: works in 1.0.2, fails in 1.1

Norm Green norm.green at gemtalksystems.com
Wed Dec 14 20:41:24 UTC 2016


That was it. Thanks Matt!

On 12/13/16 15:48, Matt Caswell wrote:
>
> On 13/12/16 21:09, Norm Green wrote:
>> I have a simple C program that works in 1.0.2 but fails with the same
>> code in 1.1.
>> Here's the psuedo code for the client and server:
>>
>> Server:
>>    const SSL_METHOD *meth = TLSv1_2_server_method();
>>    SSL_CTX *ctx = SSL_CTX_new(meth);
>>    SSL_CTX_set_ecdh_auto(ctx, 1);
>>    SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
>>    SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);
>>    SSL_CTX_set_cipher_list(ctx, "AECDH");
>>    SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE);
>>    SSL *ssl = SSL_new(ctx);
>>    SSL_accept(ssl);
>>
>>
>> Client:
>>    const SSL_METHOD *meth = TLSv1_2_client_method();
>>    SSL_CTX *ctx = SSL_CTX_new(meth);
>>    SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
>>    SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);
>>    SSL_CTX_set_cipher_list(ctx, "AECDH");
>>    SSL *ssl = SSL_new(ctx);
>>    SSL_connect(ssl);
>>
>>
>> In 1.1, the client gets this error from SSL_connect()
>>
>> SSL_connect returned SSL_ERROR_SSL
>> Details: error:141640B5:SSL routines:tls_construct_client_hello:no
>> ciphers available
>> ssl/statem/statem_clnt.c at 815
>>
>>
>> What do I need to do to make AECDH work in 1.1 ?
> AECDH is in security level 0 but the default security level is 1. Read
> about security levels here:
>
> https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_security_level.html
>
> You need to set the security level to 0 either through a call to
> SSL_CTX_set_security_level() or similar; or via the cipherstring using
> "AECDH:@SECLEVEL=0". See:
>
> https://www.openssl.org/docs/manmaster/man1/ciphers.html
>
> Matt
>
>
>



More information about the openssl-users mailing list