Re: AECDH problem: works in 1.0.2, fails in 1.1

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 13/12/16 21:09, Norm Green wrote:
> I have a simple C program that works in 1.0.2 but fails with the same
> code in 1.1.
> Here's the psuedo code for the client and server:
> 
> Server:
>   const SSL_METHOD *meth = TLSv1_2_server_method();
>   SSL_CTX *ctx = SSL_CTX_new(meth);
>   SSL_CTX_set_ecdh_auto(ctx, 1);
>   SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
>   SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);
>   SSL_CTX_set_cipher_list(ctx, "AECDH");
>   SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE);
>   SSL *ssl = SSL_new(ctx);
>   SSL_accept(ssl);
> 
> 
> Client:
>   const SSL_METHOD *meth = TLSv1_2_client_method();
>   SSL_CTX *ctx = SSL_CTX_new(meth);
>   SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
>   SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);
>   SSL_CTX_set_cipher_list(ctx, "AECDH");
>   SSL *ssl = SSL_new(ctx);
>   SSL_connect(ssl);
> 
> 
> In 1.1, the client gets this error from SSL_connect()
> 
> SSL_connect returned SSL_ERROR_SSL
> Details: error:141640B5:SSL routines:tls_construct_client_hello:no
> ciphers available
> ssl/statem/statem_clnt.c at 815
> 
> 
> What do I need to do to make AECDH work in 1.1 ?

AECDH is in security level 0 but the default security level is 1. Read
about security levels here:

https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_security_level.html

You need to set the security level to 0 either through a call to
SSL_CTX_set_security_level() or similar; or via the cipherstring using
"AECDH:@SECLEVEL=0". See:

https://www.openssl.org/docs/manmaster/man1/ciphers.html

Matt



-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux