[openssl-users] DSA with OpenSSL-1.1

Matt Caswell matt at openssl.org
Fri Jul 1 14:40:17 UTC 2016



On 01/07/16 15:22, pepone.onrez wrote:
> On 1 July 2016 at 15:39, Matt Caswell <matt at openssl.org> wrote:
>>
>>
>> On 01/07/16 14:29, pepone.onrez wrote:
>>> Hi,
>>>
>>> After upgrade my software to use OpenSSL-1.1 one of the test is
>>> failing, the test in question client and server are configured to use
>>> DSA certificates. The server is configured to request a client
>>> certificate.
>>>
>>>    SSL error occurred for new outgoing connection:
>>>    remote address = 127.0.0.1:47812
>>>    error # = 336151568
>>>    message = error:14094410:SSL routines:ssl3_read_bytes:reason(1040)
>>>    location = ssl/record/rec_layer_s3.c, 1467
>>>    data = SSL alert number 40
>>
>> Is this the error you get on the server or the client? The above
>> indicates the connection was aborted because a HandshakeFailure alert
>> was received from the peer. Therefore you need to look at the other end
>> of the communication and see if there is some error message that
>> indicates why the alert was sent.
>>
>> Matt
> That was on the client, looking at the server I see it reports there
> is no shared
> cipher
> 
>    SSL error occurred for new incoming connection:
>    remote address = 127.0.0.1:36951
>    error # = 337092801
>    message = error:1417A0C1:SSL
> routines:tls_post_process_client_hello:no shared cipher
> 
> I have try to enable all ciphers with ALL:@SECLEVEL=0, but still get
> the same error,
> it is not clear why server client don't find a common cipher here.

Did you successfully load a DSA certificate and key into the server? If
the server doesn't like the cert/key for some reason then it won't make
any DSS ciphersuites available.

Also, I see you are trying to use a DHE based ciphersuite. Did you set
DH parameters to be used? If so how did you do it?

Matt


> 
> Regards,
> José
>>
>>
>>
>>
>>>
>>> When using OpenSSL 1.0.1 the connection success
>>>
>>>    cipher = DHE-DSS-AES256-GCM-SHA384
>>>    bits = 256
>>>    remote address = 127.0.0.1:43629
>>>    protocol = TLSv1.2
>>>
>>>
>>> I try to set security level to 0 for 1.1 but that doesn't make any
>>> difference here, any ideas what could be the issue?
>>>
>> --
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


More information about the openssl-users mailing list