“no shared cipher” at ssl_accept, why?

jockep <joachim.person@xxxxxxxxx> · Tue, 29 Nov 2016 10:06:33 -0700 (MST)

Have googled a lot, not found any answer to the following problem: Created
server code and client code, but get

error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher

at the server when doing SSL_connect.

The code below is narrowed down to the sequence of the SSL / socket related
function calls only. Error handling code has been applied where applicable
to make sure calls before SSL_accept / SSL_connect does not return any
failure codes. I have also left out initialization methods.

I do not know if it matters, but I run both server and client on localhost.

There might be obvious errors, but I am quite new with OpenSSL.

Client code (inparams: hostname, certificate_chain_file,
ca_certificate_file):

SSL_library_init();
OpenSSL_add_all_algorithms();
SSL_load_error_strings();       
ERR_load_crypto_strings();     
OpenSSL_add_all_ciphers();    
SSL_METHOD const * method = SSLv23_method();  
SSL_CTX * ctx = SSL_CTX_new(method);
SSL_CTX_use_certificate_chain_file(ctx, certificate_chain_file));
const long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
SSL_OP_NO_COMPRESSION; 
SSL_CTX_set_options(ctx, flags);
SSL_CTX_load_verify_locations(ctx, ca_certificate_file, NULL));
struct hostent * host = gethostbyname(hostname);
int client_sd = socket(PF_INET, SOCK_STREAM, 0);
struct sockaddr_in server;
memset(&server, 0, sizeof(server));
server.sin_family = AF_INET;
server.sin_port = htons(6789);
server.sin_addr.s_addr = *(long *) (host->h_addr);
connect(client_sd, (struct sockaddr *) &server, sizeof(server));
SSL * ssl = SSL_new(ctx);
SSL_set_fd(ssl, client_sd);
const char * const preferred_ciphers =
"HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4";
SSL_set_cipher_list(ssl, preferred_ciphers);  
SSL_set_tlsext_host_name(ssl, hostname);   
mydata_t mydata;
mydata_index_client = SSL_get_ex_new_index(0, (void *) "mydata index", NULL,
NULL, NULL);
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, verify_callback_client);
SSL_CTX_set_verify_depth(ctx, 1);
mydata.verify_depth = 0;
SSL_set_ex_data(ssl, mydata_index_client, &mydata);
int connection_result = SSL_connect(ssl);
if (connection_result < 0)
{
  // Comes in here and ERR_get_error indicates
  // error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
failure
}
else if (connection_result == 0)
{
}
else if (connection_result == 1)
{
}
else
{
}

Server code (inparams: certificate_chain_file, ca_certificate_file):

SSL_library_init();
OpenSSL_add_all_algorithms();
SSL_load_error_strings();
SSL_METHOD const * method = SSLv23_method();
SSL_CTX * ctx = SSL_CTX_new(method);
SSL_CTX_use_certificate_chain_file(ctx, certificate_chain_file);  //Contains
only root CA
SSL_CTX_set_default_passwd_cb_userdata(ctx, (void *)
private_key_file_password);
SSL_CTX_set_default_passwd_cb(ctx, pem_passwd_cb);
SSL_CTX_load_verify_locations(ctx, ca_certificate_file, NULL);
struct sockaddr_in addr;
int server_sd = create_socket(addr, 6789);
bind(server_sd, (struct sockaddr *) &addr, sizeof(addr));
listen(server_sd, max_nr_of_simultaneous_connections);
sockaddr_in client;
client.sin_family = AF_INET;
socklen_t c_len = sizeof(client);
int client_sd = accept(server_sd, (sockaddr *) &client, &c_len);
char remote_addr[INET_ADDRSTRLEN];
inet_ntop(client.sin_family, &(client.sin_addr), remote_addr,
INET_ADDRSTRLEN);
SSL * ssl = SSL_new(ctx);
SSL_set_fd(ssl, client_sd);
const char * const preferred_ciphers =
"HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4";
SSL_set_cipher_list(ssl, preferred_ciphers);   
STACK_OF(X509_NAME) * cert_names =
SSL_load_client_CA_file(certificate_chain_file);
if (cert_names != NULL)
{
    SSL_CTX_set_client_CA_list(ctx, cert_names);
}
mydata_t mydata;
mydata_index_server = SSL_get_ex_new_index(0, (void *) "mydata index", NULL,
NULL, NULL);
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, verify_callback_server);
SSL_CTX_set_verify_depth(ctx, 1);
mydata.verify_depth = 1;
SSL_set_ex_data(ssl, mydata_index_server, &mydata);
int accept_result = SSL_accept(ssl);
if (accept_result == 0)
{
}
else if (accept_result < 0)
{
  // Comes in here and ERR_get_error indicates
  // error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
}

openssl-ca.cnf:

HOME            = .
RANDFILE        = $ENV::HOME/.rnd

####################################################################
[ ca ]
default_ca  = CA_default        # The default ca section

####################################################################
[ CA_default ]
default_days     = 1000          # how long to certify for
default_crl_days = 30            # how long before next CRL
default_md       = sha256        # use public key default MD
preserve         = no            # keep passed DN ordering

x509_extensions  = ca_extensions     # The extensions to add to the cert

email_in_dn      = no            # Don't concat the email in the DN
copy_extensions  = copy          # Required to copy SANs from CSR to cert

base_dir        = .
certificate     = $base_dir/certs/ca_fromweb.cert.pem  # The CA certifcate
private_key     = $base_dir/private/ca.key.pem   # The CA private key
new_certs_dir   = $base_dir     # Location for new certs after signing
database        = $base_dir/index2.txt   # Database index file
serial          = $base_dir/serial2.txt  # The current serial number

unique_subject  = no            # Set to 'no' to allow creation of
                                # several certificates with same subject.

####################################################################
[ req ]
default_bits        = 4096
default_keyfile     = ./private/ca.key.pem
distinguished_name  = ca_distinguished_name
x509_extensions     = ca_extensions
string_mask         = utf8only

####################################################################
[ ca_distinguished_name ]
countryName         = Country Name (2 letter code)
countryName_default = SE

stateOrProvinceName         = State or Province Name (full name)
stateOrProvinceName_default = Östergötland

localityName            = Locality Name (eg, city)
localityName_default    = 

organizationName          = Organization Name (eg, company)
organizationName_default  = 

organizationalUnitName          = Organizational Unit (eg, division)
organizationalUnitName_default  = 

commonName          = Common Name (e.g. server FQDN or YOUR name)
commonName_default  = 

emailAddress            = Email Address
emailAddress_default    = 

####################################################################
[ ca_extensions ]
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always, issuer
basicConstraints        = critical, CA:true
keyUsage                = keyCertSign, cRLSign

####################################################################
[ signing_policy ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

####################################################################
[ signing_req ]
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid,issuer

basicConstraints       = CA:FALSE
keyUsage               = digitalSignature, keyEncipherment

openssl-server.cnf:

HOME            = .
RANDFILE        = $ENV::HOME/.rnd

####################################################################
[ req ]
default_bits        = 2048
default_keyfile     = ./intermediate/private/my.example.com.key.pem
distinguished_name  = server_distinguished_name
req_extensions      = server_req_extensions
string_mask         = utf8only

####################################################################
[ server_distinguished_name ]
countryName             = Country Name (2 letter code)
countryName_default     = SE

stateOrProvinceName         = State or Province Name (full name)
stateOrProvinceName_default = Östergötland

localityName            = Locality Name (eg, city)
localityName_default    = Linköping

organizationName            = Organization Name (eg, company)
organizationName_default    = 

commonName          = Common Name (e.g. server FQDN or YOUR name)
commonName_default  = 

emailAddress            = Email Address
emailAddress_default    = 

####################################################################
[ server_req_extensions ]
subjectKeyIdentifier    = hash
basicConstraints        = CA:FALSE
keyUsage                = digitalSignature, keyEncipherment
subjectAltName          = @alternate_names
nsComment               = "OpenSSL Generated Certificate"

####################################################################
[ alternate_names ]
DNS.1       = my.example.com

Commands:

touch index.txt
 echo 1000 > serial
 openssl genrsa -aes256 -out ca.key.pem 4096
 chmod 400 private/ca.key.pem
 openssl req -config openssl-ca.cnf -key ca.key.pem -new -x509 -days 7300
-sha256 -extensions ca_extensions -out ca.cert.pem
 chmod 444 ca.cert.pem

 openssl genrsa -aes256 -out server.key.pem 4096
 openssl req -config openssl-server.cnf -new -sha256 -key server.key.pem
-out my.example.com.csr.pem
 openssl ca -config openssl-ca.cnf -policy signing_policy -extensions
signing_req -out my.example.com.cert.pem -infiles my.example.com.csr.pem
 chmod 444 my.example.com.cert.pem
 cat ca.cert.pem > ca_chain.cert.pem

Why is there still "no shared ciphers"?

--
View this message in context: http://openssl.6102.n7.nabble.com/no-shared-cipher-at-ssl-accept-why-tp69201.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users