On 01/07/16 15:22, pepone.onrez wrote: > On 1 July 2016 at 15:39, Matt Caswell <matt at openssl.org> wrote: >> >> >> On 01/07/16 14:29, pepone.onrez wrote: >>> Hi, >>> >>> After upgrade my software to use OpenSSL-1.1 one of the test is >>> failing, the test in question client and server are configured to use >>> DSA certificates. The server is configured to request a client >>> certificate. >>> >>> SSL error occurred for new outgoing connection: >>> remote address = 127.0.0.1:47812 >>> error # = 336151568 >>> message = error:14094410:SSL routines:ssl3_read_bytes:reason(1040) >>> location = ssl/record/rec_layer_s3.c, 1467 >>> data = SSL alert number 40 >> >> Is this the error you get on the server or the client? The above >> indicates the connection was aborted because a HandshakeFailure alert >> was received from the peer. Therefore you need to look at the other end >> of the communication and see if there is some error message that >> indicates why the alert was sent. >> >> Matt > That was on the client, looking at the server I see it reports there > is no shared > cipher > > SSL error occurred for new incoming connection: > remote address = 127.0.0.1:36951 > error # = 337092801 > message = error:1417A0C1:SSL > routines:tls_post_process_client_hello:no shared cipher > > I have try to enable all ciphers with ALL:@SECLEVEL=0, but still get > the same error, > it is not clear why server client don't find a common cipher here. Did you successfully load a DSA certificate and key into the server? If the server doesn't like the cert/key for some reason then it won't make any DSS ciphersuites available. Also, I see you are trying to use a DHE based ciphersuite. Did you set DH parameters to be used? If so how did you do it? Matt > > Regards, > Jos? >> >> >> >> >>> >>> When using OpenSSL 1.0.1 the connection success >>> >>> cipher = DHE-DSS-AES256-GCM-SHA384 >>> bits = 256 >>> remote address = 127.0.0.1:43629 >>> protocol = TLSv1.2 >>> >>> >>> I try to set security level to 0 for 1.1 but that doesn't make any >>> difference here, any ideas what could be the issue? >>> >> -- >> openssl-users mailing list >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
