SRP on 1.0.1f

Ralf Skyper Kaiser skyper at thc.org
Sat Sep 19 04:46:59 UTC 2020


Hello,

I'm trying to get SRP working on some older openssl (2014) release. SRP has
been officially supported in OpenSSL since 2012. The example below works
fine on newer OpenSSL versions (such as 1.1.1g). I'm curious why this aint
working on 1.0.1f:

SRP is supported:
$ openssl version
OpenSSL 1.0.1f 6 Jan 2014
$ openssl ciphers 'SRP' | sed 's/\:/\n/g'
SRP-DSS-AES-256-CBC-SHA
SRP-RSA-AES-256-CBC-SHA
SRP-AES-256-CBC-SHA
SRP-DSS-3DES-EDE-CBC-SHA
SRP-RSA-3DES-EDE-CBC-SHA
SRP-3DES-EDE-CBC-SHA
SRP-DSS-AES-128-CBC-SHA
SRP-RSA-AES-128-CBC-SHA
SRP-AES-128-CBC-SHA

# Create a srpvfile (myself / password)
$ openssl srp -srpvfile passwd.txt -add myself

# Server
$ openssl s_server -nocert -cipher SRP -srpvfile passwd.txt -accept 4444

# Client (same host)
$ openssl s_client -srpuser myself -cipher SRP -connect 127.1:4444

Server fails with:
140700035712672:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared
cipher:s3_srvr.c:1389:

Client fails with:
139663869671072:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert
handshake failure:s3_pkt.c:1278:SSL alert number 40
139663869671072:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
failure:s3_pkt.c:599:

tcpdump shows that the 'Client Hello' does contain the correct ciphers (all
9 from above) but the server rejected the Client-Hello (even that server's
'openssl ciphers' command shows that all 9 are available and supported).

Why? Is srp broken in 1.0.1f?


Ralf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20200919/ec39c380/attachment-0001.html>


More information about the openssl-users mailing list