On 01/07/16 16:57, pepone.onrez wrote: > On 1 July 2016 at 16:51, pepone.onrez <pepone.onrez at gmail.com> wrote: >> On 1 July 2016 at 16:40, Matt Caswell <matt at openssl.org> wrote: >>> >>> >>> On 01/07/16 15:22, pepone.onrez wrote: >>>> On 1 July 2016 at 15:39, Matt Caswell <matt at openssl.org> wrote: >>>>> >>>>> >>>>> On 01/07/16 14:29, pepone.onrez wrote: >>>>>> Hi, >>>>>> >>>>>> After upgrade my software to use OpenSSL-1.1 one of the test is >>>>>> failing, the test in question client and server are configured to use >>>>>> DSA certificates. The server is configured to request a client >>>>>> certificate. >>>>>> >>>>>> SSL error occurred for new outgoing connection: >>>>>> remote address = 127.0.0.1:47812 >>>>>> error # = 336151568 >>>>>> message = error:14094410:SSL routines:ssl3_read_bytes:reason(1040) >>>>>> location = ssl/record/rec_layer_s3.c, 1467 >>>>>> data = SSL alert number 40 >>>>> >>>>> Is this the error you get on the server or the client? The above >>>>> indicates the connection was aborted because a HandshakeFailure alert >>>>> was received from the peer. Therefore you need to look at the other end >>>>> of the communication and see if there is some error message that >>>>> indicates why the alert was sent. >>>>> >>>>> Matt >>>> That was on the client, looking at the server I see it reports there >>>> is no shared >>>> cipher >>>> >>>> SSL error occurred for new incoming connection: >>>> remote address = 127.0.0.1:36951 >>>> error # = 337092801 >>>> message = error:1417A0C1:SSL >>>> routines:tls_post_process_client_hello:no shared cipher >>>> >>>> I have try to enable all ciphers with ALL:@SECLEVEL=0, but still get >>>> the same error, >>>> it is not clear why server client don't find a common cipher here. > > I was not correctly setting the ciphers, Adding DHE to my ciphers and things > work fine. > > With 1.0.0 I only have DEFAULT:DSS, I guess DHE is not longer in the DEFAULT > set There are DHE ciphersuites in the default set, but there are no DSS ciphersuites. "DEFAULT" is treated as a special case when processing a cipher string - and works completely differently to other keywords that you might use. Most keywords are aliases for a set of ciphersuites, so "DHE" is the set of all ciphersuites that use DHE; "DSS" is the set of all ciphersuites that use DSS; "AES" is the set of all ciphersuites that use AES and so on. "DEFAULT" on the other hand must appear first in a cipher string and is just shorthand for saying: "ALL:!COMPLEMENTOFDEFAULT:!eNULL" COMPLEMENTOFDEFAULT is the set of ciphersuites that we don't switch on by default (excluding eNULL based ciphersuites), and the "!" means permanently switch off. So in other words DEFAULT is shorthand for saying take ALL ciphersuites, and then permanently remove all of those in the COMPLEMENTOFDEFAULT set, and permanently remove all of those in the eNULL set. All DSS based ciphersuites are in COMPLEMENTOFDEFAULT. Therefore "DEFAULT:DSS" is permanently removing DSS (because its in COMPLEMENTOFDEFAULT), and then attempting to add it back in again (which it won't do because its been permanently removed). Matt