OpenSSL-1.1-pre5 SSL_CTX_set_tmp_dh_callback

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 01/07/16 11:24, pepone.onrez wrote:
> Hi,
> 
> I trying to update my software to use OpenSSL-1.1 and I having problems
> with DH callbacks
> 
> When build with 1.1.0-pre5 the callback set with SSL_CTX_set_tmp_dh_callback
> is not being called, when using 1.0.x it is called as expected.
> 
> I have build 1.1.0-pre5 from sources with default configuration, do I
> need any special build option for this to work?
> 
> In my test the server and client enables only ADH ciphers, I see the
> following ciphers are enabled:

1.1.0 has the concept of security levels to stop you from accidentally
configuring bad things. The default security level is 1. ADH ciphers are
in security level 0 (because they are considered insecure) and are
therefore disabled by default, i.e. even if you configure them, if the
security level isn't right then they won't get used.

To set the security level differently you can either append
"@SECLEVEL=0" to the end of the cipher string, or call
SSL_set_security_level()/SSL_CTX_set_security_level().

See:
https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_security_level.html

and

https://www.openssl.org/docs/manmaster/apps/ciphers.html

Matt


> 
>    ADH-AES256-GCM-SHA384
>    ADH-AES128-GCM-SHA256
>    ADH-AES256-SHA256
>    ADH-CAMELLIA256-SHA256
>    ADH-AES128-SHA256
>    ADH-CAMELLIA128-SHA256
>    ADH-AES256-SHA
>    ADH-CAMELLIA256-SHA
>    ADH-AES128-SHA
>    ADH-SEED-SHA
>    ADH-CAMELLIA128-SHA
>    ADH-DES-CBC3-SHA
> 
> 
> The connection fails with
> 
> error # = 337002677
> message = error:141640B5:SSL routines:tls_construct_client_hello:no
> ciphers available
> 
> I assume this is related to the DH callback not being called, and so
> ADH ciphers cannot be used?
> 
> Any ideas why the DH callback is not being called, as I say the code
> works fine with all previous OpenSSL versions.
> 
> Regards,
> Jos?
> 


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux