[openssl-users] OpenSSL and iCloud

Jeffrey Walton noloader at gmail.com
Tue Jan 6 00:17:19 UTC 2015 

On Mon, Jan 5, 2015 at 5:31 PM,  <openssl at comaxis.com> wrote:
> Never mind - I got it to work by using: meth = SSLv23_method();

You might consider removing the weak/wounded stuff:

    meth = SSLv23_method();
    ...

    long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION;
    SSL_CTX_set_options(ctx,flags);

>>> On Jan 5, 2015, at 12:01 PM, openssl at comaxis.com wrote:
>>>> Are there any known problems using OpenSSL with iCloud?  I am trying to
>>>> connect to imap.mail.me.com using port 993.  My call to SSL_Connect()
>>>> returns 0, with SSL_get_error() returing 1 (SSL_ERROR_SSL).  I am using
>>>> OpenSSL version 1.0.1h, running on Win32.  I can use this code with any
>>>> other IMAP server with no problems.
>>>
>>>
>>> Are you able to connect using the openssl s_client application? I can
>>> connect (to port 993, no starttls) with either 1.0.1j or 0.9.8za;
>>> perhaps
>>> s_client will give you a more diagnostic error message if it also fails
>>> for you.
>>>
>> I made a build of 1.0.1j but it made no difference to my application. In
>> fact, I *can* use "openssl s_client -connect" with iCloud.  Doing the same
>> thing with my own server (which my application works with) the only thing
>> I see different in the diagnostics provided by openssl is the cipher:
>> for imap.mail.me.com I get "AES256-GCM-SHA384" but with my own, I
>> get "ECDHE-RSA-AES256-GCM-SHA384".  Do I need to do something in the build
>> open OpenSSL to get support for AES256, or something different in my code
>> that uses SSL?  I would assume the latter, since the openssl utility is
>> using my brand new builds of the ssl dlls.  Here is what I am doing (with
>> error checking removed):
>>
>> SSL_library_init();
>> SSL_load_error_strings();
>> wsprintf (seed,"%lx%lx", GetCurrentProcessId(), time(0));
>> RAND_seed (seed, strlen(seed));
>> meth=SSLv3_method();
>> ctx = SSL_CTX_new(meth);
>>
>> SSL_CTX_set_options(ctx,0);
>> SSL_CTX_set_verify(ctx,SSL_VERIFY_NONE,NULL);
>> SSL_CTX_set_default_verify_paths(ctx);
>> ssl = SSL_new(ctx);
>> sbio = BIO_new_socket(gSocket, BIO_NOCLOSE);
>> SSL_set_bio(ssl, sbio, sbio);
>> ret = SSL_connect(ssl);

More information about the openssl-users mailing list