[openssl-users] “no shared cipher” at ssl_accept, why?
jockep
joachim.person at gmail.com
Tue Nov 29 17:06:33 UTC 2016
Have googled a lot, not found any answer to the following problem: Created
server code and client code, but get
error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
at the server when doing SSL_connect.
The code below is narrowed down to the sequence of the SSL / socket related
function calls only. Error handling code has been applied where applicable
to make sure calls before SSL_accept / SSL_connect does not return any
failure codes. I have also left out initialization methods.
I do not know if it matters, but I run both server and client on localhost.
There might be obvious errors, but I am quite new with OpenSSL.
Client code (inparams: hostname, certificate_chain_file,
ca_certificate_file):
SSL_library_init();
OpenSSL_add_all_algorithms();
SSL_load_error_strings();
ERR_load_crypto_strings();
OpenSSL_add_all_ciphers();
SSL_METHOD const * method = SSLv23_method();
SSL_CTX * ctx = SSL_CTX_new(method);
SSL_CTX_use_certificate_chain_file(ctx, certificate_chain_file));
const long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
SSL_OP_NO_COMPRESSION;
SSL_CTX_set_options(ctx, flags);
SSL_CTX_load_verify_locations(ctx, ca_certificate_file, NULL));
struct hostent * host = gethostbyname(hostname);
int client_sd = socket(PF_INET, SOCK_STREAM, 0);
struct sockaddr_in server;
memset(&server, 0, sizeof(server));
server.sin_family = AF_INET;
server.sin_port = htons(6789);
server.sin_addr.s_addr = *(long *) (host->h_addr);
connect(client_sd, (struct sockaddr *) &server, sizeof(server));
SSL * ssl = SSL_new(ctx);
SSL_set_fd(ssl, client_sd);
const char * const preferred_ciphers =
"HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4";
SSL_set_cipher_list(ssl, preferred_ciphers);
SSL_set_tlsext_host_name(ssl, hostname);
mydata_t mydata;
mydata_index_client = SSL_get_ex_new_index(0, (void *) "mydata index", NULL,
NULL, NULL);
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, verify_callback_client);
SSL_CTX_set_verify_depth(ctx, 1);
mydata.verify_depth = 0;
SSL_set_ex_data(ssl, mydata_index_client, &mydata);
int connection_result = SSL_connect(ssl);
if (connection_result < 0)
{
// Comes in here and ERR_get_error indicates
// error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
failure
}
else if (connection_result == 0)
{
}
else if (connection_result == 1)
{
}
else
{
}
Server code (inparams: certificate_chain_file, ca_certificate_file):
SSL_library_init();
OpenSSL_add_all_algorithms();
SSL_load_error_strings();
SSL_METHOD const * method = SSLv23_method();
SSL_CTX * ctx = SSL_CTX_new(method);
SSL_CTX_use_certificate_chain_file(ctx, certificate_chain_file); //Contains
only root CA
SSL_CTX_set_default_passwd_cb_userdata(ctx, (void *)
private_key_file_password);
SSL_CTX_set_default_passwd_cb(ctx, pem_passwd_cb);
SSL_CTX_load_verify_locations(ctx, ca_certificate_file, NULL);
struct sockaddr_in addr;
int server_sd = create_socket(addr, 6789);
bind(server_sd, (struct sockaddr *) &addr, sizeof(addr));
listen(server_sd, max_nr_of_simultaneous_connections);
sockaddr_in client;
client.sin_family = AF_INET;
socklen_t c_len = sizeof(client);
int client_sd = accept(server_sd, (sockaddr *) &client, &c_len);
char remote_addr[INET_ADDRSTRLEN];
inet_ntop(client.sin_family, &(client.sin_addr), remote_addr,
INET_ADDRSTRLEN);
SSL * ssl = SSL_new(ctx);
SSL_set_fd(ssl, client_sd);
const char * const preferred_ciphers =
"HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4";
SSL_set_cipher_list(ssl, preferred_ciphers);
STACK_OF(X509_NAME) * cert_names =
SSL_load_client_CA_file(certificate_chain_file);
if (cert_names != NULL)
{
SSL_CTX_set_client_CA_list(ctx, cert_names);
}
mydata_t mydata;
mydata_index_server = SSL_get_ex_new_index(0, (void *) "mydata index", NULL,
NULL, NULL);
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, verify_callback_server);
SSL_CTX_set_verify_depth(ctx, 1);
mydata.verify_depth = 1;
SSL_set_ex_data(ssl, mydata_index_server, &mydata);
int accept_result = SSL_accept(ssl);
if (accept_result == 0)
{
}
else if (accept_result < 0)
{
// Comes in here and ERR_get_error indicates
// error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
}
openssl-ca.cnf:
HOME = .
RANDFILE = $ENV::HOME/.rnd
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
default_days = 1000 # how long to certify for
default_crl_days = 30 # how long before next CRL
default_md = sha256 # use public key default MD
preserve = no # keep passed DN ordering
x509_extensions = ca_extensions # The extensions to add to the cert
email_in_dn = no # Don't concat the email in the DN
copy_extensions = copy # Required to copy SANs from CSR to cert
base_dir = .
certificate = $base_dir/certs/ca_fromweb.cert.pem # The CA certifcate
private_key = $base_dir/private/ca.key.pem # The CA private key
new_certs_dir = $base_dir # Location for new certs after signing
database = $base_dir/index2.txt # Database index file
serial = $base_dir/serial2.txt # The current serial number
unique_subject = no # Set to 'no' to allow creation of
# several certificates with same subject.
####################################################################
[ req ]
default_bits = 4096
default_keyfile = ./private/ca.key.pem
distinguished_name = ca_distinguished_name
x509_extensions = ca_extensions
string_mask = utf8only
####################################################################
[ ca_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = SE
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Östergötland
localityName = Locality Name (eg, city)
localityName_default =
organizationName = Organization Name (eg, company)
organizationName_default =
organizationalUnitName = Organizational Unit (eg, division)
organizationalUnitName_default =
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default =
emailAddress = Email Address
emailAddress_default =
####################################################################
[ ca_extensions ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer
basicConstraints = critical, CA:true
keyUsage = keyCertSign, cRLSign
####################################################################
[ signing_policy ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ signing_req ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
openssl-server.cnf:
HOME = .
RANDFILE = $ENV::HOME/.rnd
####################################################################
[ req ]
default_bits = 2048
default_keyfile = ./intermediate/private/my.example.com.key.pem
distinguished_name = server_distinguished_name
req_extensions = server_req_extensions
string_mask = utf8only
####################################################################
[ server_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = SE
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Östergötland
localityName = Locality Name (eg, city)
localityName_default = Linköping
organizationName = Organization Name (eg, company)
organizationName_default =
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default =
emailAddress = Email Address
emailAddress_default =
####################################################################
[ server_req_extensions ]
subjectKeyIdentifier = hash
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alternate_names
nsComment = "OpenSSL Generated Certificate"
####################################################################
[ alternate_names ]
DNS.1 = my.example.com
Commands:
touch index.txt
echo 1000 > serial
openssl genrsa -aes256 -out ca.key.pem 4096
chmod 400 private/ca.key.pem
openssl req -config openssl-ca.cnf -key ca.key.pem -new -x509 -days 7300
-sha256 -extensions ca_extensions -out ca.cert.pem
chmod 444 ca.cert.pem
openssl genrsa -aes256 -out server.key.pem 4096
openssl req -config openssl-server.cnf -new -sha256 -key server.key.pem
-out my.example.com.csr.pem
openssl ca -config openssl-ca.cnf -policy signing_policy -extensions
signing_req -out my.example.com.cert.pem -infiles my.example.com.csr.pem
chmod 444 my.example.com.cert.pem
cat ca.cert.pem > ca_chain.cert.pem
Why is there still "no shared ciphers"?
--
View this message in context: http://openssl.6102.n7.nabble.com/no-shared-cipher-at-ssl-accept-why-tp69201.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
More information about the openssl-users
mailing list