[openssl-users] openssl client v1.1.0 can not connect: handshake failure:ssl/record/rec_layer_s3.c:1385:SSL alert number 40

Matthias Apitz guru at unixarea.de
Fri Feb 17 16:29:46 UTC 2017


El día Friday, February 17, 2017 a las 09:57:39AM +0000, Matt Caswell escribió:

> 
> 
> On 17/02/17 07:46, Matthias Apitz wrote:
> > New, TLSv1/SSLv3, Cipher is DHE-DSS-AES128-GCM-SHA256
> 
> Your server appears to be configured with a DSA certificate.
> 
> OpenSSL 1.1.0 made changes to the default ciphersuites that get sent.
> See this CHANGES entry:
> 
>   *) Changes to the DEFAULT cipherlist:
>        - Prefer (EC)DHE handshakes over plain RSA.
>        - Prefer AEAD ciphers over legacy ciphers.
>        - Prefer ECDSA over RSA when both certificates are available.
>        - Prefer TLSv1.2 ciphers/PRF.
>        - Remove DSS, SEED, IDEA, CAMELLIA, and AES-CCM from the
>          default cipherlist.
>      [Emilia Käsper]
> 
> So OpenSSL 1.1.0 does not offer any DSS based ciphersuites by default
> any more. If your server only has a DSA certificate then this is going
> to fail.

Thanks. I have aadded more ciphers using SSL_set_cipher_list(3) and all
is fine now.

	matthias

-- 
Matthias Apitz, ✉ guru at unixarea.de, ⌂ http://www.unixarea.de/  ☎ +49-176-38902045


More information about the openssl-users mailing list