[openssl-dev] [openssl.org #3768] [BUG] using s_server with ECDHE-RSA is broken on OpenSSL 1.0.1m

Linsell, StevenX via RT rt at openssl.org
Fri Mar 27 13:12:59 UTC 2015 

When testing s_server/s_client with ECDHE-RSA based ciphers
- with any protocol version 
- on the OpenSSL 1.0.1m release 
- on x86_64 Fedora 16 
the handshake fails with:
140305461679776:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:1389:

Example commands:

s_server:
./openssl s_server -cert rsa1024TestServer.cert.pem -key rsa1024TestServer.key.pem -WWW -accept 4411 -cipher ECDHE-RSA-AES128-SHA -nbio -tls1_2 -debug -state

s_client:
echo "GET /file_1byte.html HTTP/1.0" | ./openssl s_client  -host localhost -port 4411 -cipher ECDHE-RSA-AES128-SHA -tls1_2 -ign_eof -debug -state

The issue has been tracked back to breaking on the following commit:-

 commit 059907771b89549cbd07a81df1a5bdf51e062066
 Author: Matt Caswell <matt at openssl.org>
 Date:   Fri Feb 27 00:02:06 2015 +0000

     Fix warning with no-ec
    
     This fixes another warning when config'd with no-ec
    
     Reviewed-by: Dr. Stephen Henson <steve at openssl.org>


And I have confirmed it has been broken by the following uninitialised variable:

@@ -992,7 +992,10 @@ int MAIN(int argc, char *argv[])
     int badop = 0, bugs = 0;
     int ret = 1;
     int off = 0;
-    int no_tmp_rsa = 0, no_dhe = 0, no_ecdhe = 0, nocert = 0;
+    int no_tmp_rsa = 0, no_dhe = 0, nocert = 0;
+#ifndef OPENSSL_NO_ECDH
+    int no_ecdhe;     <---------------- Should have been initialised to 0
+#endif


Sorry I would have supplied the fix as a patch but I haven't got my head around how to do that yet.
It is still broken in the latest 1.0.1-stable branch.
I have checked the other branches and only 1.0.1-stable appears to be affected.

Kind Regards,

Steve Linsell                                     Intel Shannon DCG/CID Software Development Team
Stevenx.Linsell at intel.com
--------------------------------------------------------------
Intel Shannon Limited
Registered in Ireland
Registered Office: Collinstown Industrial Park, Leixlip, County Kildare
Registered Number: 308263
Business address: Dromore House, East Park, Shannon, Co. Clare

This e-mail and any attachments may contain confidential material for the sole use of the intended recipient(s). Any review or distribution by others is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies.

More information about the openssl-dev mailing list