My bad - needed to initialize SSL_CTX_set_tmp_dh() BEFORE calling SSL_new(). From: openssl-users [mailto:openssl-users-bounces@xxxxxxxxxxx] On Behalf Of Jim Carroll Sent: Saturday, August 06, 2016 6:59 AM To: openssl-users at openssl.org Subject: 'no shared cipher', TLS_method on OpenSSL-1-1-0-pre7-dev Using OpenSSL 1.1.0-pre7-dev, our SSL server app is reporting: 10308:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:ssl\statem\statem_srvr.c:1420: Client & server both set to use TLS_method() with default ciphers. With -DCIPHER_DEBUG enabled in our OpenSSL build, we get the following: 0:[00000004:00000008:0000008C:00000014]003C6A08:ECDHE-ECDSA-AES256-GCM-SHA38 4 0:[00000004:00000001:0000008C:00000014]003C6A80:ECDHE-RSA-AES256-GCM-SHA384 0:[00000002:00000001:0000008C:00000014]003C5CAC:DHE-RSA-AES256-GCM-SHA384 0:[00000004:00000008:0000008C:00000014]003C7458:ECDHE-ECDSA-CHACHA20-POLY130 5 0:[00000004:00000001:0000008C:00000014]003C741C:ECDHE-RSA-CHACHA20-POLY1305 0:[00000002:00000001:0000008C:00000014]003C7494:DHE-RSA-CHACHA20-POLY1305 0:[00000004:00000008:0000008C:00000014]003C69CC:ECDHE-ECDSA-AES128-GCM-SHA25 6 0:[00000004:00000001:0000008C:00000014]003C6A44:ECDHE-RSA-AES128-GCM-SHA256 0:[00000002:00000001:0000008C:00000014]003C5C70:DHE-RSA-AES128-GCM-SHA256 0:[00000004:00000008:0000008C:00000014]003C6918:ECDHE-ECDSA-AES256-SHA384 0:[00000004:00000001:0000008C:00000014]003C6990:ECDHE-RSA-AES256-SHA384 0:[00000002:00000001:0000008C:00000014]003C56D0:DHE-RSA-AES256-SHA256 0:[00000004:00000008:0000008C:00000014]003C68DC:ECDHE-ECDSA-AES128-SHA256 0:[00000004:00000001:0000008C:00000014]003C6954:ECDHE-RSA-AES128-SHA256 0:[00000002:00000001:0000008C:00000014]003C5658:DHE-RSA-AES128-SHA256 0:[00000004:00000008:0000008C:00000014]003C64A4:ECDHE-ECDSA-AES256-SHA 0:[00000004:00000001:0000008C:00000014]003C6594:ECDHE-RSA-AES256-SHA 0:[00000002:00000001:0000008C:00000014]003C5400:DHE-RSA-AES256-SHA 0:[00000004:00000008:0000008C:00000014]003C6468:ECDHE-ECDSA-AES128-SHA 0:[00000004:00000001:0000008C:00000014]003C6558:ECDHE-RSA-AES128-SHA 0:[00000002:00000001:0000008C:00000014]003C5310:DHE-RSA-AES128-SHA 0:[00000004:00000008:0000008C:00000014]003C642C:ECDHE-ECDSA-DES-CBC3-SHA 0:[00000004:00000001:0000008C:00000014]003C651C:ECDHE-RSA-DES-CBC3-SHA 0:[00000002:00000001:0000008C:00000014]003C516C:DHE-RSA-DES-CBC3-SHA 0:[00000001:00000001:0000008C:00000014]003C5C34:AES256-GCM-SHA384 0:[00000001:00000001:0000008C:00000014]003C5BF8:AES128-GCM-SHA256 0:[00000001:00000001:0000008C:00000014]003C54F0:AES256-SHA256 0:[00000001:00000001:0000008C:00000014]003C54B4:AES128-SHA256 0:[00000001:00000001:0000008C:00000014]003C5388:AES256-SHA 0:[00000001:00000001:0000008C:00000014]003C5298:AES128-SHA 0:[00000001:00000001:0000008C:00000014]003C50F4:DES-CBC3-SHA It looks like both client & server have a lot of cipher's they could use together, but for a reason I can't yet understand, the server is refusing to accept the client's offered ciphers. Could anyone shed any light on this? -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160806/925e1d08/attachment-0001.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4722 bytes Desc: not available URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160806/925e1d08/attachment-0001.bin>