OpenSSL 1.1.1q DTLS Client error
Shashank Namdev
super007nova at gmail.com
Tue Aug 16 04:35:10 UTC 2022
Hello !
I'm completely new to openssl, but I really need to implement a simple
application which will use DTLS over UDP.
Unfortunately, it seems that all examples which I can find, correctly
implement DTLS server, but not implement DTLS client side.
After going through various blogs and OpenSSL documentation, I wrote
*/*Client code*/*
const char* const PREFERRED_CIPHERS =
"HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4:ADH-AES128-SHA:ADH-AES128-SHA256:ADH-AES256-SHA256:ECDHE-RSA-AES256-GCM-SHA384:@SECLEVEL=0";
const char *cipher_name;
int priority = 0;
STACK_OF(SSL_CIPHER) *cipher_n;
ctx = SSL_CTX_new(DTLS_client_method());
if (!ctx)
{
printf("Unable to create SSL context");
return E_FAILURE;
}
SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv3 |
SSL_OP_NO_TLSv1_3 | SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_1 |
SSL_OP_NO_TLSv1);
SSL_CTX_set_min_proto_version(ctx, DTLS_MIN_VERSION);
SSL_CTX_set_max_proto_version(ctx, DTLS_MAX_VERSION);
SSL_CTX_set_security_level(ctx, 0);
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER |
SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
SSL_CTX_set_verify_depth (ctx, 1);
SSL_CTX_set_read_ahead(ctx, 1);
if (!SSL_CTX_use_certificate_file(ctx, <"Path to clientcert.pem">,
SSL_FILETYPE_PEM))
{
printf("\nERROR: no certificate found!");
return E_FAILURE;
}
if (!SSL_CTX_use_PrivateKey_file(ctx, <"Path to clientkey.key">,
SSL_FILETYPE_PEM))
{
printf("\nERROR: no private key found!");
return E_FAILURE;
}
if (!SSL_CTX_check_private_key (ctx))
{
printf("\nERROR: invalid private key!");
return E_FAILURE;
}
cipher_n = SSL_CTX_get_ciphers(ctx);
printf("%s\n", cipher_n);
iRet = SSL_CTX_set_cipher_list(ctx, PREFERRED_CIPHERS);
if(!(1 == iRet))
{
printf("\nERROR: SSL_set_cipher_list!");
}
ssl = SSL_new(ctx);
if (NULL == ssl)
{
fprintf(stderr, "SSL_new() failed\n");
return E_FAILURE;
}
SSL_set_connect_state(ssl);
while ((cipher_name = SSL_get_cipher_list(ssl, priority++)))
printf("%s\n", cipher_name);
printf("\n");
iRet = SSL_set_cipher_list(ssl, PREFERRED_CIPHERS);
if(!(1 == iRet))
{
printf("\nERROR: SSL_set_cipher_list!");
}
printf("\nSSL connection on socket %d,Version: %s, Cipher: %s", fd,
SSL_get_version(ssl), SSL_get_cipher(ssl));
SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
SSL_set_fd(ssl, fd);
bio = BIO_new_dgram(fd, BIO_NOCLOSE);
SSL_set_bio(ssl, bio, bio);
/* ---------------------------------------------------------- *
* Try to SSL-connect here, returns 1 for success *
* ---------------------------------------------------------- */
RetrySSLConnect:
iRet = SSL_connect(ssl);
int err = SSL_get_error(ssl, iRet);
switch (err)
{
case SSL_ERROR_NONE:
goto SSLConnectSuccess;
case SSL_ERROR_WANT_WRITE:
case SSL_ERROR_WANT_READ:
Sleep(100);
goto RetrySSLConnect;
case SSL_ERROR_SYSCALL:
case SSL_ERROR_WANT_X509_LOOKUP:
case SSL_ERROR_ZERO_RETURN:
case SSL_ERROR_SSL:
{
if((err == SSL_ERROR_SSL) || (err == SSL_ERROR_SYSCALL))
{
char msg[1024];
ERR_error_string_n(ERR_get_error(), msg, sizeof(msg));
printf("%s,, %s,, %s,, %s\n", msg, ERR_lib_error_string(0),
ERR_func_error_string(0), ERR_reason_error_string(0));
}
}
default:
printf("\nSSL_connect error:%s %d",
ERR_reason_error_string(ERR_get_error()), ERR_get_error());
return E_FAILURE;
}
Server I am running on same machine with below command
*C:\Program Files\OpenSSL-Win32\bin>*openssl s_server -accept 9902 -cert
server.pem -key serverkey.key -dtls -debug
When I execute my client I get below *Output/error*
<
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_128_GCM_SHA256
AES128-SHA
SSL connection on socket 8872,Version: DTLSv1.2, *Cipher:
(NONE)error:141E70BF:SSL routines:tls_construct_client_hello:no protocols
available*,, (null),, (null),, (null)
I already searched a lot, tried different codes but nothing worked.
Can someone please help me???
--
SN
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20220816/a560f7b7/attachment.htm>
More information about the openssl-users
mailing list