configuring callbacks (or not) and SNI vs not... no shared cipher from server end

Viktor Dukhovni openssl-users at dukhovni.org
Wed May 8 20:35:19 UTC 2019


> On May 8, 2019, at 4:23 PM, Michael Richardson <mcr at sandelman.ca> wrote:
> 
> My questions about the documentation of the callbacks remain.
> Having solved the problem, I'm pretty certain the the "no shared cipher"
> error message is way too overloaded.

It sounds like you failed to load a matching key pair into the server's
SSL context (something that you would typically check as part of setting
the certificate chain and private key).  Once the server context has no
signing keys, it can only negotiate anon-DHE and anon-ECDHE ciphers, but
the client did not offer these, so you got "no shared cipher", which is
fact correct.

> Some piece of code is clearly doing something useful, which is to check if
> the public/private key match.  Unfortunately, that code is not announcing
> the mismatch in a useful way.

The check is done at configuration time.  You're likely not doing the key
setup "by the book":

   https://github.com/vdukhovni/postfix/blob/master/postfix/src/tls/tls_certkey.c#L600-L623

-- 
	Viktor.



-- 
	Viktor.



More information about the openssl-users mailing list