[openssl-users] OpenSSL-1.1-pre5 SSL_CTX_set_tmp_dh_callback
pepone.onrez at gmail.com
Fri Jul 1 13:19:34 UTC 2016
On 1 July 2016 at 12:31, Matt Caswell <matt at openssl.org> wrote:
> On 01/07/16 11:24, pepone.onrez wrote:
>> I trying to update my software to use OpenSSL-1.1 and I having problems
>> with DH callbacks
>> When build with 1.1.0-pre5 the callback set with SSL_CTX_set_tmp_dh_callback
>> is not being called, when using 1.0.x it is called as expected.
>> I have build 1.1.0-pre5 from sources with default configuration, do I
>> need any special build option for this to work?
>> In my test the server and client enables only ADH ciphers, I see the
>> following ciphers are enabled:
> 1.1.0 has the concept of security levels to stop you from accidentally
> configuring bad things. The default security level is 1. ADH ciphers are
> in security level 0 (because they are considered insecure) and are
> therefore disabled by default, i.e. even if you configure them, if the
> security level isn't right then they won't get used.
> To set the security level differently you can either append
> "@SECLEVEL=0" to the end of the cipher string, or call
Thanks Matt that was it, setting SECLEVEL=0" make the test work
>> The connection fails with
>> error # = 337002677
>> message = error:141640B5:SSL routines:tls_construct_client_hello:no
>> ciphers available
>> I assume this is related to the DH callback not being called, and so
>> ADH ciphers cannot be used?
>> Any ideas why the DH callback is not being called, as I say the code
>> works fine with all previous OpenSSL versions.
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
More information about the openssl-users