[openssl-users] OpenSSL-1.1-pre5 SSL_CTX_set_tmp_dh_callback
pepone.onrez
pepone.onrez at gmail.com
Fri Jul 1 13:19:34 UTC 2016
On 1 July 2016 at 12:31, Matt Caswell <matt at openssl.org> wrote:
>
>
> On 01/07/16 11:24, pepone.onrez wrote:
>> Hi,
>>
>> I trying to update my software to use OpenSSL-1.1 and I having problems
>> with DH callbacks
>>
>> When build with 1.1.0-pre5 the callback set with SSL_CTX_set_tmp_dh_callback
>> is not being called, when using 1.0.x it is called as expected.
>>
>> I have build 1.1.0-pre5 from sources with default configuration, do I
>> need any special build option for this to work?
>>
>> In my test the server and client enables only ADH ciphers, I see the
>> following ciphers are enabled:
>
> 1.1.0 has the concept of security levels to stop you from accidentally
> configuring bad things. The default security level is 1. ADH ciphers are
> in security level 0 (because they are considered insecure) and are
> therefore disabled by default, i.e. even if you configure them, if the
> security level isn't right then they won't get used.
>
> To set the security level differently you can either append
> "@SECLEVEL=0" to the end of the cipher string, or call
> SSL_set_security_level()/SSL_CTX_set_security_level().
>
> See:
> https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_security_level.html
>
> and
>
> https://www.openssl.org/docs/manmaster/apps/ciphers.html
>
> Matt
Thanks Matt that was it, setting SECLEVEL=0" make the test work
>
>
>>
>> ADH-AES256-GCM-SHA384
>> ADH-AES128-GCM-SHA256
>> ADH-AES256-SHA256
>> ADH-CAMELLIA256-SHA256
>> ADH-AES128-SHA256
>> ADH-CAMELLIA128-SHA256
>> ADH-AES256-SHA
>> ADH-CAMELLIA256-SHA
>> ADH-AES128-SHA
>> ADH-SEED-SHA
>> ADH-CAMELLIA128-SHA
>> ADH-DES-CBC3-SHA
>>
>>
>> The connection fails with
>>
>> error # = 337002677
>> message = error:141640B5:SSL routines:tls_construct_client_hello:no
>> ciphers available
>>
>> I assume this is related to the DH callback not being called, and so
>> ADH ciphers cannot be used?
>>
>> Any ideas why the DH callback is not being called, as I say the code
>> works fine with all previous OpenSSL versions.
>>
>> Regards,
>> José
>>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
More information about the openssl-users
mailing list