On 13/12/16 21:09, Norm Green wrote: > I have a simple C program that works in 1.0.2 but fails with the same > code in 1.1. > Here's the psuedo code for the client and server: > > Server: > const SSL_METHOD *meth = TLSv1_2_server_method(); > SSL_CTX *ctx = SSL_CTX_new(meth); > SSL_CTX_set_ecdh_auto(ctx, 1); > SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY); > SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL); > SSL_CTX_set_cipher_list(ctx, "AECDH"); > SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE); > SSL *ssl = SSL_new(ctx); > SSL_accept(ssl); > > > Client: > const SSL_METHOD *meth = TLSv1_2_client_method(); > SSL_CTX *ctx = SSL_CTX_new(meth); > SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY); > SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL); > SSL_CTX_set_cipher_list(ctx, "AECDH"); > SSL *ssl = SSL_new(ctx); > SSL_connect(ssl); > > > In 1.1, the client gets this error from SSL_connect() > > SSL_connect returned SSL_ERROR_SSL > Details: error:141640B5:SSL routines:tls_construct_client_hello:no > ciphers available > ssl/statem/statem_clnt.c at 815 > > > What do I need to do to make AECDH work in 1.1 ? AECDH is in security level 0 but the default security level is 1. Read about security levels here: https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_security_level.html You need to set the security level to 0 either through a call to SSL_CTX_set_security_level() or similar; or via the cipherstring using "AECDH:@SECLEVEL=0". See: https://www.openssl.org/docs/manmaster/man1/ciphers.html Matt -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
