[openssl-users] DSA with OpenSSL-1.1

pepone.onrez pepone.onrez at gmail.com
Fri Jul 1 14:51:40 UTC 2016


On 1 July 2016 at 16:40, Matt Caswell <matt at openssl.org> wrote:
>
>
> On 01/07/16 15:22, pepone.onrez wrote:
>> On 1 July 2016 at 15:39, Matt Caswell <matt at openssl.org> wrote:
>>>
>>>
>>> On 01/07/16 14:29, pepone.onrez wrote:
>>>> Hi,
>>>>
>>>> After upgrade my software to use OpenSSL-1.1 one of the test is
>>>> failing, the test in question client and server are configured to use
>>>> DSA certificates. The server is configured to request a client
>>>> certificate.
>>>>
>>>>    SSL error occurred for new outgoing connection:
>>>>    remote address = 127.0.0.1:47812
>>>>    error # = 336151568
>>>>    message = error:14094410:SSL routines:ssl3_read_bytes:reason(1040)
>>>>    location = ssl/record/rec_layer_s3.c, 1467
>>>>    data = SSL alert number 40
>>>
>>> Is this the error you get on the server or the client? The above
>>> indicates the connection was aborted because a HandshakeFailure alert
>>> was received from the peer. Therefore you need to look at the other end
>>> of the communication and see if there is some error message that
>>> indicates why the alert was sent.
>>>
>>> Matt
>> That was on the client, looking at the server I see it reports there
>> is no shared
>> cipher
>>
>>    SSL error occurred for new incoming connection:
>>    remote address = 127.0.0.1:36951
>>    error # = 337092801
>>    message = error:1417A0C1:SSL
>> routines:tls_post_process_client_hello:no shared cipher
>>
>> I have try to enable all ciphers with ALL:@SECLEVEL=0, but still get
>> the same error,
>> it is not clear why server client don't find a common cipher here.
>
> Did you successfully load a DSA certificate and key into the server? If
> the server doesn't like the cert/key for some reason then it won't make
> any DSS ciphersuites available.
>

Yes I using SSL_CTX_use_certificate and SSL_CTX_use_PrivateKey and
reading the pkcs12 cert with PKCS12_parse, that works fine with the rest
of my test suite.

> Also, I see you are trying to use a DHE based ciphersuite. Did you set
> DH parameters to be used? If so how did you do it?
>

I'm using a DH callback to set the DH parameters

DH*
IceSSL_opensslDHCallback(SSL* ssl, int /*isExport*/, int keyLength)
{
#  if OPENSSL_VERSION_NUMBER >= 0x10100000L
    SSL_CTX* ctx = SSL_get_SSL_CTX(ssl);
#  else
    SSL_CTX* ctx = ssl->ctx;
#  endif
    OpenSSLEngine* p =
reinterpret_cast<OpenSSLEngine*>(SSL_CTX_get_ex_data(ctx, 0));
    return p->dhParams(keyLength);
}
#  endif
}

SSL_CTX_set_options(_ctx, SSL_OP_SINGLE_DH_USE);
SSL_CTX_set_tmp_dh_callback(_ctx, IceSSL_opensslDHCallback);

And for default parameters I'm using d2i_DHparams to restore the DH
parameters I previously
saved with i2d_DHparams


> Matt
>
>
>>
>> Regards,
>> José
>>>
>>>
>>>
>>>
>>>>
>>>> When using OpenSSL 1.0.1 the connection success
>>>>
>>>>    cipher = DHE-DSS-AES256-GCM-SHA384
>>>>    bits = 256
>>>>    remote address = 127.0.0.1:43629
>>>>    protocol = TLSv1.2
>>>>
>>>>
>>>> I try to set security level to 0 for 1.1 but that doesn't make any
>>>> difference here, any ideas what could be the issue?
>>>>
>>> --
>>> openssl-users mailing list
>>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


More information about the openssl-users mailing list