[openssl-users] DSA with OpenSSL-1.1

pepone.onrez pepone.onrez at gmail.com
Fri Jul 1 15:57:47 UTC 2016 

On 1 July 2016 at 16:51, pepone.onrez <pepone.onrez at gmail.com> wrote:
> On 1 July 2016 at 16:40, Matt Caswell <matt at openssl.org> wrote:
>>
>>
>> On 01/07/16 15:22, pepone.onrez wrote:
>>> On 1 July 2016 at 15:39, Matt Caswell <matt at openssl.org> wrote:
>>>>
>>>>
>>>> On 01/07/16 14:29, pepone.onrez wrote:
>>>>> Hi,
>>>>>
>>>>> After upgrade my software to use OpenSSL-1.1 one of the test is
>>>>> failing, the test in question client and server are configured to use
>>>>> DSA certificates. The server is configured to request a client
>>>>> certificate.
>>>>>
>>>>>    SSL error occurred for new outgoing connection:
>>>>>    remote address = 127.0.0.1:47812
>>>>>    error # = 336151568
>>>>>    message = error:14094410:SSL routines:ssl3_read_bytes:reason(1040)
>>>>>    location = ssl/record/rec_layer_s3.c, 1467
>>>>>    data = SSL alert number 40
>>>>
>>>> Is this the error you get on the server or the client? The above
>>>> indicates the connection was aborted because a HandshakeFailure alert
>>>> was received from the peer. Therefore you need to look at the other end
>>>> of the communication and see if there is some error message that
>>>> indicates why the alert was sent.
>>>>
>>>> Matt
>>> That was on the client, looking at the server I see it reports there
>>> is no shared
>>> cipher
>>>
>>>    SSL error occurred for new incoming connection:
>>>    remote address = 127.0.0.1:36951
>>>    error # = 337092801
>>>    message = error:1417A0C1:SSL
>>> routines:tls_post_process_client_hello:no shared cipher
>>>
>>> I have try to enable all ciphers with ALL:@SECLEVEL=0, but still get
>>> the same error,
>>> it is not clear why server client don't find a common cipher here.

I was not correctly setting the ciphers, Adding DHE to my ciphers and things
work fine.

With 1.0.0 I only have DEFAULT:DSS, I guess DHE is not longer in the DEFAULT
set

>>
>> Did you successfully load a DSA certificate and key into the server? If
>> the server doesn't like the cert/key for some reason then it won't make
>> any DSS ciphersuites available.
>>
>
> Yes I using SSL_CTX_use_certificate and SSL_CTX_use_PrivateKey and
> reading the pkcs12 cert with PKCS12_parse, that works fine with the rest
> of my test suite.
>
>> Also, I see you are trying to use a DHE based ciphersuite. Did you set
>> DH parameters to be used? If so how did you do it?
>>
>
> I'm using a DH callback to set the DH parameters
>
> DH*
> IceSSL_opensslDHCallback(SSL* ssl, int /*isExport*/, int keyLength)
> {
> #  if OPENSSL_VERSION_NUMBER >= 0x10100000L
>     SSL_CTX* ctx = SSL_get_SSL_CTX(ssl);
> #  else
>     SSL_CTX* ctx = ssl->ctx;
> #  endif
>     OpenSSLEngine* p =
> reinterpret_cast<OpenSSLEngine*>(SSL_CTX_get_ex_data(ctx, 0));
>     return p->dhParams(keyLength);
> }
> #  endif
> }
>
> SSL_CTX_set_options(_ctx, SSL_OP_SINGLE_DH_USE);
> SSL_CTX_set_tmp_dh_callback(_ctx, IceSSL_opensslDHCallback);
>
> And for default parameters I'm using d2i_DHparams to restore the DH
> parameters I previously
> saved with i2d_DHparams
>
>
>> Matt
>>
>>
>>>
>>> Regards,
>>> José
>>>>
>>>>
>>>>
>>>>
>>>>>
>>>>> When using OpenSSL 1.0.1 the connection success
>>>>>
>>>>>    cipher = DHE-DSS-AES256-GCM-SHA384
>>>>>    bits = 256
>>>>>    remote address = 127.0.0.1:43629
>>>>>    protocol = TLSv1.2
>>>>>
>>>>>
>>>>> I try to set security level to 0 for 1.1 but that doesn't make any
>>>>> difference here, any ideas what could be the issue?
>>>>>
>>>> --
>>>> openssl-users mailing list
>>>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>> --
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

More information about the openssl-users mailing list