On 1 July 2016 at 12:31, Matt Caswell <matt at openssl.org> wrote: > > > On 01/07/16 11:24, pepone.onrez wrote: >> Hi, >> >> I trying to update my software to use OpenSSL-1.1 and I having problems >> with DH callbacks >> >> When build with 1.1.0-pre5 the callback set with SSL_CTX_set_tmp_dh_callback >> is not being called, when using 1.0.x it is called as expected. >> >> I have build 1.1.0-pre5 from sources with default configuration, do I >> need any special build option for this to work? >> >> In my test the server and client enables only ADH ciphers, I see the >> following ciphers are enabled: > > 1.1.0 has the concept of security levels to stop you from accidentally > configuring bad things. The default security level is 1. ADH ciphers are > in security level 0 (because they are considered insecure) and are > therefore disabled by default, i.e. even if you configure them, if the > security level isn't right then they won't get used. > > To set the security level differently you can either append > "@SECLEVEL=0" to the end of the cipher string, or call > SSL_set_security_level()/SSL_CTX_set_security_level(). > > See: > https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_security_level.html > > and > > https://www.openssl.org/docs/manmaster/apps/ciphers.html > > Matt Thanks Matt that was it, setting SECLEVEL=0" make the test work > > >> >> ADH-AES256-GCM-SHA384 >> ADH-AES128-GCM-SHA256 >> ADH-AES256-SHA256 >> ADH-CAMELLIA256-SHA256 >> ADH-AES128-SHA256 >> ADH-CAMELLIA128-SHA256 >> ADH-AES256-SHA >> ADH-CAMELLIA256-SHA >> ADH-AES128-SHA >> ADH-SEED-SHA >> ADH-CAMELLIA128-SHA >> ADH-DES-CBC3-SHA >> >> >> The connection fails with >> >> error # = 337002677 >> message = error:141640B5:SSL routines:tls_construct_client_hello:no >> ciphers available >> >> I assume this is related to the DH callback not being called, and so >> ADH ciphers cannot be used? >> >> Any ideas why the DH callback is not being called, as I say the code >> works fine with all previous OpenSSL versions. >> >> Regards, >> Jos? >> > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
