On 01/07/16 11:24, pepone.onrez wrote: > Hi, > > I trying to update my software to use OpenSSL-1.1 and I having problems > with DH callbacks > > When build with 1.1.0-pre5 the callback set with SSL_CTX_set_tmp_dh_callback > is not being called, when using 1.0.x it is called as expected. > > I have build 1.1.0-pre5 from sources with default configuration, do I > need any special build option for this to work? > > In my test the server and client enables only ADH ciphers, I see the > following ciphers are enabled: 1.1.0 has the concept of security levels to stop you from accidentally configuring bad things. The default security level is 1. ADH ciphers are in security level 0 (because they are considered insecure) and are therefore disabled by default, i.e. even if you configure them, if the security level isn't right then they won't get used. To set the security level differently you can either append "@SECLEVEL=0" to the end of the cipher string, or call SSL_set_security_level()/SSL_CTX_set_security_level(). See: https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_security_level.html and https://www.openssl.org/docs/manmaster/apps/ciphers.html Matt > > ADH-AES256-GCM-SHA384 > ADH-AES128-GCM-SHA256 > ADH-AES256-SHA256 > ADH-CAMELLIA256-SHA256 > ADH-AES128-SHA256 > ADH-CAMELLIA128-SHA256 > ADH-AES256-SHA > ADH-CAMELLIA256-SHA > ADH-AES128-SHA > ADH-SEED-SHA > ADH-CAMELLIA128-SHA > ADH-DES-CBC3-SHA > > > The connection fails with > > error # = 337002677 > message = error:141640B5:SSL routines:tls_construct_client_hello:no > ciphers available > > I assume this is related to the DH callback not being called, and so > ADH ciphers cannot be used? > > Any ideas why the DH callback is not being called, as I say the code > works fine with all previous OpenSSL versions. > > Regards, > Jos? >
