Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
OpenSSL 1.0.1 example with SRP
997 views
Skip to first unread message
Norm Green
Oct 24, 2011, 11:15:50 PM10/24/11
to
Hello Experts,
I'm new to OpenSSL so please bear with me.
I'm trying to construct a simple example that uses a recent OpenSSL 1.0.1 snapshot to create secure connection using SRP without using any certificates. I am aware 1.0.1 is not yet released, but I've been told this should be possible.
Here's how I'm setting up the client:
srpclient.c:
SSL_load_error_strings();
OpenSSL_add_all_ciphers();
OpenSSL_add_all_digests();
(void) SSL_library_init(); // always succeeds per man page
const SSL_METHOD *meth = TLSv1_client_method();
SSL_CTX *ctx = SSL_CTX_new(meth);
SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2);
SSL_CTX_SRP_CTX_init(ctx);
if (SSL_CTX_set_cipher_list(ctx, "aNULL:!eNULL:!LOW:!EXPORT:@STRENGTH") != 1)
handleError("SSL_CTX_set_cipher_list failed");
if (SSL_CTX_set_srp_username(ctx, (char *) USER_NAME) != 1)
handleError("SSL_CTX_set_srp_username failed");
if (SSL_CTX_set_srp_password(ctx, (char *) PASSWORD) != 1)
handleError("SSL_CTX_set_srp_password failed");
if (SSL_CTX_set_srp_strength(ctx, 1024) != 1)
handleError("SSL_CTX_set_srp_strength failed");
SSL *ssl = SSL_new(ctx);
if (ssl == NULL)
handleError("SSL_new failed");
if (SSL_set_fd(ssl, sock) != 1)
handleError("SSL_set_fd failed");
int rc = SSL_connect(ssl);
=================================
and here is the server side:
=================================
srpserver.c:
SSL_load_error_strings();
OpenSSL_add_all_ciphers();
OpenSSL_add_all_digests();
(void) SSL_library_init(); // always succeeds per man page
// const SSL_METHOD *meth = SSLv23_server_method();
const SSL_METHOD *meth = TLSv1_server_method();
SSL_CTX *ctx = SSL_CTX_new(meth);
SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2);
SSL_CTX_SRP_CTX_init(ctx);
if (SSL_CTX_set_cipher_list(ctx, "aNULL:!eNULL:!LOW:!EXPORT:@STRENGTH") != 1)
handleError("SSL_CTX_set_cipher_list failed");
SSL *ssl = SSL_new(ctx);
if (ssl == NULL) {
handleError("SSL_new() failed");
}
if (SSL_set_fd(ssl, sock) != 1)
handleError("SSL_set_fd failed");
if (SSL_set_srp_server_param_pw(ssl, USER_NAME, PASSWORD, "1024") != 1)
handleError("SSL_set_srp_server_param_pw failed");
int rc = SSL_accept(ssl);
=========================
On the server side I get this output:
normg@conifer>./srpserver
Server is starting to listen on port 57784
Server is starting accept on port 57784
TCP/IP Connection accepted
SSL_accept failed, error=SSL_ERROR_SSL
Details: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
s3_srvr.c at 1306
============================
and on the client I get:
normg@conifer>./srpclient
TCP/IP connect succeeded
SSL_connect failed, error=SSL_ERROR_SSL
Details: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
s3_pkt.c at 1227
I've tried using various SSL methods such as SSLv3 and TLS_1_1, but I always get the same error.
It looks to me like the client still wants a cert from the server.
Another strange thing is that the following output seems to indicate the SRP ciphers seem to need SSLv3 instead of TLS1.x :
normg@conifer>./openssl ciphers -v 'ALL:eNULL' |grep -i SRP
SRP-DSS-AES-256-CBC-SHA SSLv3 Kx=SRP Au=DSS Enc=AES(256) Mac=SHA1
SRP-RSA-AES-256-CBC-SHA SSLv3 Kx=SRP Au=RSA Enc=AES(256) Mac=SHA1
SRP-AES-256-CBC-SHA SSLv3 Kx=SRP Au=None Enc=AES(256) Mac=SHA1
SRP-DSS-3DES-EDE-CBC-SHA SSLv3 Kx=SRP Au=DSS Enc=3DES(168) Mac=SHA1
SRP-RSA-3DES-EDE-CBC-SHA SSLv3 Kx=SRP Au=RSA Enc=3DES(168) Mac=SHA1
SRP-3DES-EDE-CBC-SHA SSLv3 Kx=SRP Au=None Enc=3DES(168) Mac=SHA1
SRP-DSS-AES-128-CBC-SHA SSLv3 Kx=SRP Au=DSS Enc=AES(128) Mac=SHA1
SRP-RSA-AES-128-CBC-SHA SSLv3 Kx=SRP Au=RSA Enc=AES(128) Mac=SHA1
SRP-AES-128-CBC-SHA SSLv3 Kx=SRP Au=None Enc=AES(128) Mac=SHA1
normg@conifer>./openssl version
OpenSSL 1.0.1-dev xx XXX xxxx
Can anyone point me the right direction so I can get a simple SRP example to work?
Thanks for any help,
Norm Green
VMware, Inc.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org
I'm new to OpenSSL so please bear with me.
I'm trying to construct a simple example that uses a recent OpenSSL 1.0.1 snapshot to create secure connection using SRP without using any certificates. I am aware 1.0.1 is not yet released, but I've been told this should be possible.
Here's how I'm setting up the client:
srpclient.c:
SSL_load_error_strings();
OpenSSL_add_all_ciphers();
OpenSSL_add_all_digests();
(void) SSL_library_init(); // always succeeds per man page
const SSL_METHOD *meth = TLSv1_client_method();
SSL_CTX *ctx = SSL_CTX_new(meth);
SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2);
SSL_CTX_SRP_CTX_init(ctx);
if (SSL_CTX_set_cipher_list(ctx, "aNULL:!eNULL:!LOW:!EXPORT:@STRENGTH") != 1)
handleError("SSL_CTX_set_cipher_list failed");
if (SSL_CTX_set_srp_username(ctx, (char *) USER_NAME) != 1)
handleError("SSL_CTX_set_srp_username failed");
if (SSL_CTX_set_srp_password(ctx, (char *) PASSWORD) != 1)
handleError("SSL_CTX_set_srp_password failed");
if (SSL_CTX_set_srp_strength(ctx, 1024) != 1)
handleError("SSL_CTX_set_srp_strength failed");
SSL *ssl = SSL_new(ctx);
if (ssl == NULL)
handleError("SSL_new failed");
if (SSL_set_fd(ssl, sock) != 1)
handleError("SSL_set_fd failed");
int rc = SSL_connect(ssl);
=================================
and here is the server side:
=================================
srpserver.c:
SSL_load_error_strings();
OpenSSL_add_all_ciphers();
OpenSSL_add_all_digests();
(void) SSL_library_init(); // always succeeds per man page
// const SSL_METHOD *meth = SSLv23_server_method();
const SSL_METHOD *meth = TLSv1_server_method();
SSL_CTX *ctx = SSL_CTX_new(meth);
SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2);
SSL_CTX_SRP_CTX_init(ctx);
if (SSL_CTX_set_cipher_list(ctx, "aNULL:!eNULL:!LOW:!EXPORT:@STRENGTH") != 1)
handleError("SSL_CTX_set_cipher_list failed");
SSL *ssl = SSL_new(ctx);
if (ssl == NULL) {
handleError("SSL_new() failed");
}
if (SSL_set_fd(ssl, sock) != 1)
handleError("SSL_set_fd failed");
if (SSL_set_srp_server_param_pw(ssl, USER_NAME, PASSWORD, "1024") != 1)
handleError("SSL_set_srp_server_param_pw failed");
int rc = SSL_accept(ssl);
=========================
On the server side I get this output:
normg@conifer>./srpserver
Server is starting to listen on port 57784
Server is starting accept on port 57784
TCP/IP Connection accepted
SSL_accept failed, error=SSL_ERROR_SSL
Details: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
s3_srvr.c at 1306
============================
and on the client I get:
normg@conifer>./srpclient
TCP/IP connect succeeded
SSL_connect failed, error=SSL_ERROR_SSL
Details: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
s3_pkt.c at 1227
I've tried using various SSL methods such as SSLv3 and TLS_1_1, but I always get the same error.
It looks to me like the client still wants a cert from the server.
Another strange thing is that the following output seems to indicate the SRP ciphers seem to need SSLv3 instead of TLS1.x :
normg@conifer>./openssl ciphers -v 'ALL:eNULL' |grep -i SRP
SRP-DSS-AES-256-CBC-SHA SSLv3 Kx=SRP Au=DSS Enc=AES(256) Mac=SHA1
SRP-RSA-AES-256-CBC-SHA SSLv3 Kx=SRP Au=RSA Enc=AES(256) Mac=SHA1
SRP-AES-256-CBC-SHA SSLv3 Kx=SRP Au=None Enc=AES(256) Mac=SHA1
SRP-DSS-3DES-EDE-CBC-SHA SSLv3 Kx=SRP Au=DSS Enc=3DES(168) Mac=SHA1
SRP-RSA-3DES-EDE-CBC-SHA SSLv3 Kx=SRP Au=RSA Enc=3DES(168) Mac=SHA1
SRP-3DES-EDE-CBC-SHA SSLv3 Kx=SRP Au=None Enc=3DES(168) Mac=SHA1
SRP-DSS-AES-128-CBC-SHA SSLv3 Kx=SRP Au=DSS Enc=AES(128) Mac=SHA1
SRP-RSA-AES-128-CBC-SHA SSLv3 Kx=SRP Au=RSA Enc=AES(128) Mac=SHA1
SRP-AES-128-CBC-SHA SSLv3 Kx=SRP Au=None Enc=AES(128) Mac=SHA1
normg@conifer>./openssl version
OpenSSL 1.0.1-dev xx XXX xxxx
Can anyone point me the right direction so I can get a simple SRP example to work?
Thanks for any help,
Norm Green
VMware, Inc.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org
Norm Green
Oct 25, 2011, 12:00:59 AM10/25/11
to
Hi Jeff,
> Was OPENSSL_NO_SRP defined when you built?
I'm 99.9% sure it wasn't, otherwise the compiler would have barfed on my call to SSL_CTX_SRP_CTX_init()
> Thomas Wu's patches can be found in RT. The latest appears to be
> http://rt.openssl.org/Ticket/Display.html?id=2523&user=guest&pass=guest.
Thanks. I did see that but was hoping that his code had been merged to 1.0.1 by now since it was posted back in May. I need to look into that code further.
Norm
> Was OPENSSL_NO_SRP defined when you built?
I'm 99.9% sure it wasn't, otherwise the compiler would have barfed on my call to SSL_CTX_SRP_CTX_init()
> Thomas Wu's patches can be found in RT. The latest appears to be
> http://rt.openssl.org/Ticket/Display.html?id=2523&user=guest&pass=guest.
Thanks. I did see that but was hoping that his code had been merged to 1.0.1 by now since it was posted back in May. I need to look into that code further.
Norm
Peter Sylvester
Oct 25, 2011, 6:18:39 AM10/25/11
to
On 10/25/2011 05:15 AM, Norm Green wrote:
> Hello Experts,
>
> I'm new to OpenSSL so please bear with me.
>
> I'm trying to construct a simple example that uses a recent OpenSSL 1.0.1 snapshot to create secure connection using SRP without using any certificates. I am aware 1.0.1 is not yet released, but I've been told this should be possible.
try this first with s_client and s_server you need cipher SRP fo them
> Hello Experts,
>
> I'm new to OpenSSL so please bear with me.
>
> I'm trying to construct a simple example that uses a recent OpenSSL 1.0.1 snapshot to create secure connection using SRP without using any certificates. I am aware 1.0.1 is not yet released, but I've been told this should be possible.
what happens when you connect to your server with
openssl s_client -srpuser <USER> -cipher SRP -connect server:port
Norm Green
Oct 25, 2011, 9:58:12 AM10/25/11
to
Hi Peter,
Same error on the server:
normg@conifer>./srpserver
Server is starting to listen on port 57784
Server is starting accept on port 57784
normg@conifer>
Client output:
normg@conifer>$GEMSTONE/bin/openssl s_client -srpuser SystemUser -cipher SRP -connect localhost:57784
CONNECTED(00000003)
18446741324916266428:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1227:SSL alert number 40
18446741324916266428:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:592:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1319550564
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
Same error on the server:
normg@conifer>./srpserver
Server is starting to listen on port 57784
Server is starting accept on port 57784
Connection accepted
SSL_accept failed, error=SSL_ERROR_SSL
Details: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
s3_srvr.c at 1306
/home/normg/gssua/srp
SSL_accept failed, error=SSL_ERROR_SSL
Details: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
s3_srvr.c at 1306
normg@conifer>
Client output:
normg@conifer>$GEMSTONE/bin/openssl s_client -srpuser SystemUser -cipher SRP -connect localhost:57784
CONNECTED(00000003)
18446741324916266428:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1227:SSL alert number 40
18446741324916266428:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:592:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1319550564
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
Norm Green
Oct 26, 2011, 10:28:09 PM10/26/11
to
Is there no one that can help me get a simple SRP test case working? Or should I conclude SRP is broken in OpenSSL 1.0.1?
From the output below, it appears the client and server support no less than 9 ciphers in common. Why then do I get the "no shared cipher" error?
I rebuilt the library with -DCIPHER_DEBUG and now get the following output from the handshake:
---------------------------------------------------------------
server:
openssl s_server -cipher SRP -nocert -tls1 -accept 57784 -debug
<SRP-DSS-AES-256-CBC-SHA>
<SRP-RSA-AES-256-CBC-SHA>
<SRP-AES-256-CBC-SHA>
<SRP-DSS-3DES-EDE-CBC-SHA>
<SRP-RSA-3DES-EDE-CBC-SHA>
<SRP-3DES-EDE-CBC-SHA>
<SRP-DSS-AES-128-CBC-SHA>
<SRP-RSA-AES-128-CBC-SHA>
<SRP-AES-128-CBC-SHA>
ACCEPT
read from 0x7e6f30 [0x7ec523] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 55 ....U
read from 0x7e6f30 [0x7ec528] (85 bytes => 85 (0x55))
0000 - 01 00 00 51 03 01 4e a8-bf bb 5d 89 f9 aa ae 3f ...Q..N...]....?
0010 - 5f df fd dd 70 1c 4d c1-91 09 94 84 47 2f 8e a7 _...p.M.....G/..
0020 - 99 d3 fe 73 6a e1 00 00-14 c0 22 c0 21 c0 20 c0 ...sj.....".!. .
0030 - 1c c0 1b c0 1a c0 1f c0-1e c0 1d 00 ff 01 00 00 ................
0040 - 14 00 0c 00 0c 0a 53 79-73 74 65 6d 55 73 65 72 ......SystemUser
0050 - 00 00 23 ..#
0055 - <SPACES/NULS>
Server has 9 from 7df600:
77e0e8:SRP-DSS-AES-256-CBC-SHA
77e090:SRP-RSA-AES-256-CBC-SHA
77e038:SRP-AES-256-CBC-SHA
77ded8:SRP-DSS-3DES-EDE-CBC-SHA
77de80:SRP-RSA-3DES-EDE-CBC-SHA
77de28:SRP-3DES-EDE-CBC-SHA
77dfe0:SRP-DSS-AES-128-CBC-SHA
77df88:SRP-RSA-AES-128-CBC-SHA
77df30:SRP-AES-128-CBC-SHA
Client sent 9 from 7df960:
77e0e8:SRP-DSS-AES-256-CBC-SHA
77e090:SRP-RSA-AES-256-CBC-SHA
77e038:SRP-AES-256-CBC-SHA
77ded8:SRP-DSS-3DES-EDE-CBC-SHA
77de80:SRP-RSA-3DES-EDE-CBC-SHA
77de28:SRP-3DES-EDE-CBC-SHA
77dfe0:SRP-DSS-AES-128-CBC-SHA
77df88:SRP-RSA-AES-128-CBC-SHA
77df30:SRP-AES-128-CBC-SHA
rt=1 rte=1 dht=1 ecdht=1 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0
0:[00000400:00000002:00000188:00000084]77e0e8:SRP-DSS-AES-256-CBC-SHA
rt=1 rte=1 dht=1 ecdht=1 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0
0:[00000400:00000001:00000188:00000084]77e090:SRP-RSA-AES-256-CBC-SHA
rt=1 rte=1 dht=1 ecdht=1 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0
0:[00000400:00000004:00000188:00000084]77e038:SRP-AES-256-CBC-SHA
rt=1 rte=1 dht=1 ecdht=1 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0
0:[00000400:00000002:00000188:00000084]77ded8:SRP-DSS-3DES-EDE-CBC-SHA
rt=1 rte=1 dht=1 ecdht=1 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0
0:[00000400:00000001:00000188:00000084]77de80:SRP-RSA-3DES-EDE-CBC-SHA
rt=1 rte=1 dht=1 ecdht=1 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0
0:[00000400:00000004:00000188:00000084]77de28:SRP-3DES-EDE-CBC-SHA
rt=1 rte=1 dht=1 ecdht=1 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0
0:[00000400:00000002:00000188:00000084]77dfe0:SRP-DSS-AES-128-CBC-SHA
rt=1 rte=1 dht=1 ecdht=1 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0
0:[00000400:00000001:00000188:00000084]77df88:SRP-RSA-AES-128-CBC-SHA
rt=1 rte=1 dht=1 ecdht=1 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0
0:[00000400:00000004:00000188:00000084]77df30:SRP-AES-128-CBC-SHA
write to 0x7e6f30 [0x7f5fd0] (7 bytes => 7 (0x7))
0000 - 15 03 01 00 02 02 28 ......(
ERROR
18446741324916266428:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:1306:
shutting down SSL
CONNECTION CLOSED
---------------------------------------------------------------
Client:
openssl s_client -srpuser SystemUser -srppass stdin -tls1 -cipher SRP -connect localhost:57784 -debug
<SRP-DSS-AES-256-CBC-SHA>
<SRP-RSA-AES-256-CBC-SHA>
<SRP-AES-256-CBC-SHA>
<SRP-DSS-3DES-EDE-CBC-SHA>
<SRP-RSA-3DES-EDE-CBC-SHA>
<SRP-3DES-EDE-CBC-SHA>
<SRP-DSS-AES-128-CBC-SHA>
<SRP-RSA-AES-128-CBC-SHA>
<SRP-AES-128-CBC-SHA>
CONNECTED(00000003)
write to 0x7d23a0 [0x7f22e3] (90 bytes => 90 (0x5A))
0000 - 16 03 01 00 55 01 00 00-51 03 01 4e a8 bf bb 5d ....U...Q..N...]
0010 - 89 f9 aa ae 3f 5f df fd-dd 70 1c 4d c1 91 09 94 ....?_...p.M....
0020 - 84 47 2f 8e a7 99 d3 fe-73 6a e1 00 00 14 c0 22 .G/.....sj....."
0030 - c0 21 c0 20 c0 1c c0 1b-c0 1a c0 1f c0 1e c0 1d .!. ............
0040 - 00 ff 01 00 00 14 00 0c-00 0c 0a 53 79 73 74 65 ...........Syste
0050 - 6d 55 73 65 72 00 00 23- mUser..#
005a - <SPACES/NULS>
read from 0x7d23a0 [0x7edd83] (5 bytes => 5 (0x5))
0000 - 15 03 01 00 02 .....
read from 0x7d23a0 [0x7edd88] (2 bytes => 2 (0x2))
0000 - 02 28 .(
From the output below, it appears the client and server support no less than 9 ciphers in common. Why then do I get the "no shared cipher" error?
I rebuilt the library with -DCIPHER_DEBUG and now get the following output from the handshake:
---------------------------------------------------------------
server:
openssl s_server -cipher SRP -nocert -tls1 -accept 57784 -debug
<SRP-DSS-AES-256-CBC-SHA>
<SRP-RSA-AES-256-CBC-SHA>
<SRP-AES-256-CBC-SHA>
<SRP-DSS-3DES-EDE-CBC-SHA>
<SRP-RSA-3DES-EDE-CBC-SHA>
<SRP-3DES-EDE-CBC-SHA>
<SRP-DSS-AES-128-CBC-SHA>
<SRP-RSA-AES-128-CBC-SHA>
<SRP-AES-128-CBC-SHA>
ACCEPT
read from 0x7e6f30 [0x7ec523] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 55 ....U
read from 0x7e6f30 [0x7ec528] (85 bytes => 85 (0x55))
0000 - 01 00 00 51 03 01 4e a8-bf bb 5d 89 f9 aa ae 3f ...Q..N...]....?
0010 - 5f df fd dd 70 1c 4d c1-91 09 94 84 47 2f 8e a7 _...p.M.....G/..
0020 - 99 d3 fe 73 6a e1 00 00-14 c0 22 c0 21 c0 20 c0 ...sj.....".!. .
0030 - 1c c0 1b c0 1a c0 1f c0-1e c0 1d 00 ff 01 00 00 ................
0040 - 14 00 0c 00 0c 0a 53 79-73 74 65 6d 55 73 65 72 ......SystemUser
0050 - 00 00 23 ..#
0055 - <SPACES/NULS>
Server has 9 from 7df600:
77e0e8:SRP-DSS-AES-256-CBC-SHA
77e090:SRP-RSA-AES-256-CBC-SHA
77e038:SRP-AES-256-CBC-SHA
77ded8:SRP-DSS-3DES-EDE-CBC-SHA
77de80:SRP-RSA-3DES-EDE-CBC-SHA
77de28:SRP-3DES-EDE-CBC-SHA
77dfe0:SRP-DSS-AES-128-CBC-SHA
77df88:SRP-RSA-AES-128-CBC-SHA
77df30:SRP-AES-128-CBC-SHA
Client sent 9 from 7df960:
77e0e8:SRP-DSS-AES-256-CBC-SHA
77e090:SRP-RSA-AES-256-CBC-SHA
77e038:SRP-AES-256-CBC-SHA
77ded8:SRP-DSS-3DES-EDE-CBC-SHA
77de80:SRP-RSA-3DES-EDE-CBC-SHA
77de28:SRP-3DES-EDE-CBC-SHA
77dfe0:SRP-DSS-AES-128-CBC-SHA
77df88:SRP-RSA-AES-128-CBC-SHA
77df30:SRP-AES-128-CBC-SHA
rt=1 rte=1 dht=1 ecdht=1 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0
0:[00000400:00000002:00000188:00000084]77e0e8:SRP-DSS-AES-256-CBC-SHA
rt=1 rte=1 dht=1 ecdht=1 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0
0:[00000400:00000001:00000188:00000084]77e090:SRP-RSA-AES-256-CBC-SHA
rt=1 rte=1 dht=1 ecdht=1 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0
0:[00000400:00000004:00000188:00000084]77e038:SRP-AES-256-CBC-SHA
rt=1 rte=1 dht=1 ecdht=1 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0
0:[00000400:00000002:00000188:00000084]77ded8:SRP-DSS-3DES-EDE-CBC-SHA
rt=1 rte=1 dht=1 ecdht=1 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0
0:[00000400:00000001:00000188:00000084]77de80:SRP-RSA-3DES-EDE-CBC-SHA
rt=1 rte=1 dht=1 ecdht=1 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0
0:[00000400:00000004:00000188:00000084]77de28:SRP-3DES-EDE-CBC-SHA
rt=1 rte=1 dht=1 ecdht=1 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0
0:[00000400:00000002:00000188:00000084]77dfe0:SRP-DSS-AES-128-CBC-SHA
rt=1 rte=1 dht=1 ecdht=1 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0
0:[00000400:00000001:00000188:00000084]77df88:SRP-RSA-AES-128-CBC-SHA
rt=1 rte=1 dht=1 ecdht=1 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0
0:[00000400:00000004:00000188:00000084]77df30:SRP-AES-128-CBC-SHA
write to 0x7e6f30 [0x7f5fd0] (7 bytes => 7 (0x7))
0000 - 15 03 01 00 02 02 28 ......(
ERROR
18446741324916266428:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:1306:
shutting down SSL
CONNECTION CLOSED
---------------------------------------------------------------
Client:
openssl s_client -srpuser SystemUser -srppass stdin -tls1 -cipher SRP -connect localhost:57784 -debug
<SRP-DSS-AES-256-CBC-SHA>
<SRP-RSA-AES-256-CBC-SHA>
<SRP-AES-256-CBC-SHA>
<SRP-DSS-3DES-EDE-CBC-SHA>
<SRP-RSA-3DES-EDE-CBC-SHA>
<SRP-3DES-EDE-CBC-SHA>
<SRP-DSS-AES-128-CBC-SHA>
<SRP-RSA-AES-128-CBC-SHA>
<SRP-AES-128-CBC-SHA>
CONNECTED(00000003)
write to 0x7d23a0 [0x7f22e3] (90 bytes => 90 (0x5A))
0000 - 16 03 01 00 55 01 00 00-51 03 01 4e a8 bf bb 5d ....U...Q..N...]
0010 - 89 f9 aa ae 3f 5f df fd-dd 70 1c 4d c1 91 09 94 ....?_...p.M....
0020 - 84 47 2f 8e a7 99 d3 fe-73 6a e1 00 00 14 c0 22 .G/.....sj....."
0030 - c0 21 c0 20 c0 1c c0 1b-c0 1a c0 1f c0 1e c0 1d .!. ............
0040 - 00 ff 01 00 00 14 00 0c-00 0c 0a 53 79 73 74 65 ...........Syste
0050 - 6d 55 73 65 72 00 00 23- mUser..#
005a - <SPACES/NULS>
read from 0x7d23a0 [0x7edd83] (5 bytes => 5 (0x5))
0000 - 15 03 01 00 02 .....
read from 0x7d23a0 [0x7edd88] (2 bytes => 2 (0x2))
0000 - 02 28 .(
18446741324916266428:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1227:SSL alert number 40
18446741324916266428:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:592:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1319681979
18446741324916266428:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:592:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Jeffrey Walton
Oct 27, 2011, 2:46:32 AM10/27/11
to
On Wed, Oct 26, 2011 at 10:28 PM, Norm Green <no...@vmware.com> wrote:
> Is there no one that can help me get a simple SRP test case working? Or should I conclude SRP is broken in OpenSSL 1.0.1?
>
> From the output below, it appears the client and server support no less than 9 ciphers in common. Why then do I get the "no shared cipher" error?
>
> I rebuilt the library with -DCIPHER_DEBUG and now get the following output from the handshake:
>
The best I can tell, the snapshot is broken.
> Is there no one that can help me get a simple SRP test case working? Or should I conclude SRP is broken in OpenSSL 1.0.1?
>
> From the output below, it appears the client and server support no less than 9 ciphers in common. Why then do I get the "no shared cipher" error?
>
> I rebuilt the library with -DCIPHER_DEBUG and now get the following output from the handshake:
>
Jeff
=== System ===
uname -a
Linux studio 2.6.32-34-generic #77-Ubuntu SMP Tue Sep 13 19:39:17 UTC
2011 x86_64 GNU/Linux
=== Server ===
openssl-1.0.1-stable-SNAP-20111027$ ./apps/openssl s_server -cipher
SRP -nocert -tls1 -accept 57784 -debug
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT
=== Client ===
openssl-1.0.1-stable-SNAP-20111027$ ./apps/openssl s_client -srpuser
SystemUser -srppass stdin -tls1 -cipher SRP -connect studio:57784
-debug
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
*** <hang> ***
=== GDB ===
ps -a
...
gdb attach 29478
GNU gdb (GDB) 7.3.1
...
attach: No such file or directory.
Attaching to process 29478
...
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib64/ld-linux-x86-64.so.2...(no debugging
symbols found)...done.
Loaded symbols for /lib64/ld-linux-x86-64.so.2
0x00007f3be499a4a0 in read () from /lib/libc.so.6
(gdb) where
#0 0x00007f3be499a4a0 in read () from /lib/libc.so.6
#1 0x00007f3be4935348 in _IO_file_underflow () from /lib/libc.so.6
#2 0x00007f3be4936eee in _IO_default_uflow () from /lib/libc.so.6
#3 0x00007f3be492b43e in _IO_getline_info () from /lib/libc.so.6
#4 0x00007f3be492a329 in fgets () from /lib/libc.so.6
#5 0x00000000004d31b5 in file_gets ()
#6 0x00000000004d09f9 in BIO_gets ()
#7 0x0000000000438072 in app_get_pass ()
#8 0x0000000000438325 in app_passwd ()
#9 0x000000000042859d in s_client_main ()
#10 0x0000000000402d50 in do_cmd ()
#11 0x00000000004036ff in main ()
(gdb)
Norm Green
Oct 27, 2011, 9:57:55 AM10/27/11
to
> The best I can tell, the snapshot is broken.
At this point, I wouldn't be surprised.
Update:
I made some (major) changes to my example code based on the SRP code in ssltest.c. Mainly, I implemented and used all the SRP callback functions. Previously, I was setting the userId and password parameters explicitly thinking I shouldn't need the callbacks.
Now I get past the previous error and move on to this error on the server:
SSL_accept failed, error=SSL_ERROR_SSL
Details: error:0D06703E:asn1 encoding routines:a2i_ASN1_STRING:asn1 length mismatch
ssl_asn1.c at 641
On the client all I get is this:
SSL_connect failed, error=SSL_ERROR_SYSCALL
SSL_connect, errno=0, Error 0
This looks like the server is not liking something in a TLS extension used by SRP.
Any clues on how to get past this one?
Norm
----- Original Message -----
> From: "Jeffrey Walton" <nolo...@gmail.com>
> To: openss...@openssl.org
> Sent: Wednesday, October 26, 2011 11:46:32 PM
> Subject: Re: OpenSSL 1.0.1 example with SRP
>
Dr. Stephen Henson
Oct 27, 2011, 10:44:35 AM10/27/11
to
On Thu, Oct 27, 2011, Norm Green wrote:
> > The best I can tell, the snapshot is broken.
> At this point, I wouldn't be surprised.
>
> Update:
>
> I made some (major) changes to my example code based on the SRP code in ssltest.c. Mainly, I implemented and used all the SRP callback functions. Previously, I was setting the userId and password parameters explicitly thinking I shouldn't need the callbacks.
>
> Now I get past the previous error and move on to this error on the server:
>
> SSL_accept failed, error=SSL_ERROR_SSL
> Details: error:0D06703E:asn1 encoding routines:a2i_ASN1_STRING:asn1 length mismatch
> ssl_asn1.c at 641
>
>
That was fixed a few days ago by this:
> > The best I can tell, the snapshot is broken.
> At this point, I wouldn't be surprised.
>
> Update:
>
> I made some (major) changes to my example code based on the SRP code in ssltest.c. Mainly, I implemented and used all the SRP callback functions. Previously, I was setting the userId and password parameters explicitly thinking I shouldn't need the callbacks.
>
> Now I get past the previous error and move on to this error on the server:
>
> SSL_accept failed, error=SSL_ERROR_SSL
> Details: error:0D06703E:asn1 encoding routines:a2i_ASN1_STRING:asn1 length mismatch
> ssl_asn1.c at 641
>
>
http://cvs.openssl.org/chngview?cn=21600
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
Norm Green
Oct 27, 2011, 11:48:08 AM10/27/11
to
That did the trick! My example code now sets up an SSL client/server connection using SRP.
Thanks very much Steve and all others who helped.
Norm
----- Original Message -----
> From: "Dr. Stephen Henson" <st...@openssl.org>
> To: openss...@openssl.org
> Sent: Thursday, October 27, 2011 7:44:35 AM
> Subject: Re: OpenSSL 1.0.1 example with SRP
>
Thanks very much Steve and all others who helped.
Norm
----- Original Message -----
> From: "Dr. Stephen Henson" <st...@openssl.org>
> To: openss...@openssl.org
> Sent: Thursday, October 27, 2011 7:44:35 AM
> Subject: Re: OpenSSL 1.0.1 example with SRP
>
0 new messages