[openssl-users] OpenSSL-1.1-pre5 SSL_CTX_set_tmp_dh_callback

Matt Caswell matt at openssl.org
Fri Jul 1 10:31:31 UTC 2016

On 01/07/16 11:24, pepone.onrez wrote:
> Hi,
> I trying to update my software to use OpenSSL-1.1 and I having problems
> with DH callbacks
> When build with 1.1.0-pre5 the callback set with SSL_CTX_set_tmp_dh_callback
> is not being called, when using 1.0.x it is called as expected.
> I have build 1.1.0-pre5 from sources with default configuration, do I
> need any special build option for this to work?
> In my test the server and client enables only ADH ciphers, I see the
> following ciphers are enabled:

1.1.0 has the concept of security levels to stop you from accidentally
configuring bad things. The default security level is 1. ADH ciphers are
in security level 0 (because they are considered insecure) and are
therefore disabled by default, i.e. even if you configure them, if the
security level isn't right then they won't get used.

To set the security level differently you can either append
"@SECLEVEL=0" to the end of the cipher string, or call





>    ADH-AES256-GCM-SHA384
>    ADH-AES128-GCM-SHA256
>    ADH-AES256-SHA256
>    ADH-AES128-SHA256
>    ADH-AES256-SHA
>    ADH-AES128-SHA
> The connection fails with
> error # = 337002677
> message = error:141640B5:SSL routines:tls_construct_client_hello:no
> ciphers available
> I assume this is related to the DH callback not being called, and so
> ADH ciphers cannot be used?
> Any ideas why the DH callback is not being called, as I say the code
> works fine with all previous OpenSSL versions.
> Regards,
> José

More information about the openssl-users mailing list