[openssl-users] OpenSSL-1.1-pre5 SSL_CTX_set_tmp_dh_callback

pepone.onrez pepone.onrez at gmail.com
Fri Jul 1 10:24:28 UTC 2016


Hi,

I trying to update my software to use OpenSSL-1.1 and I having problems
with DH callbacks

When build with 1.1.0-pre5 the callback set with SSL_CTX_set_tmp_dh_callback
is not being called, when using 1.0.x it is called as expected.

I have build 1.1.0-pre5 from sources with default configuration, do I
need any special build option for this to work?

In my test the server and client enables only ADH ciphers, I see the
following ciphers are enabled:

   ADH-AES256-GCM-SHA384
   ADH-AES128-GCM-SHA256
   ADH-AES256-SHA256
   ADH-CAMELLIA256-SHA256
   ADH-AES128-SHA256
   ADH-CAMELLIA128-SHA256
   ADH-AES256-SHA
   ADH-CAMELLIA256-SHA
   ADH-AES128-SHA
   ADH-SEED-SHA
   ADH-CAMELLIA128-SHA
   ADH-DES-CBC3-SHA


The connection fails with

error # = 337002677
message = error:141640B5:SSL routines:tls_construct_client_hello:no
ciphers available

I assume this is related to the DH callback not being called, and so
ADH ciphers cannot be used?

Any ideas why the DH callback is not being called, as I say the code
works fine with all previous OpenSSL versions.

Regards,
José


More information about the openssl-users mailing list