|
Forums -> Security Library Forum
|
by jimi posted on 2004/03/15 |
|
Hi,
i started using your TLS implementation, however, i always get a reply from openssl server: no shared cipher.
I use
options.AllowedAlgorithms = SslAlgorithms.ALL;
openssl is started like:
openssl
OpenSSL> s_server -msg -debug -accept 5000 -nocert -tls1
openssl log:
ACCEPT
read from 080B3B60 [080B9158] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 2d ....-
read from 080B3B60 [080B915D] (45 bytes => 45 (0x2D))
0000 - 01 00 00 29 03 01 40 56-32 b3 1a 24 d7 15 5b 4f ...)..@V2..$..[O
0010 - 3a 4a 31 0a 59 23 5f ee-0a 54 d7 61 1d e5 57 50 :J1.Y#_..T.a..WP
0020 - e9 05 32 d0 d2 61 00 00-02 00 05 01 ..2..a......
002d - <SPACES/NULS>
<<< TLS 1.0 Handshake [length 002d], ClientHello
01 00 00 29 03 01 40 56 32 b3 1a 24 d7 15 5b 4f
3a 4a 31 0a 59 23 5f ee 0a 54 d7 61 1d e5 57 50
e9 05 32 d0 d2 61 00 00 02 00 05 01 00
write to 080B3B60 [080C32C8] (7 bytes => 7 (0x7))
0000 - 15 03 01 00 02 02 28 ......(
>>> TLS 1.0 Alert [length 0002], fatal handshake_failure
02 28
ERROR
6770:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:886:
shutting down SSL
thx for your help or suggestions :) |
by Pieter Philippaerts [Pieter at mentalis dot org] posted on 2004/03/15 |
|
Using the 'nocert' parameter when starting OpenSSL restricts the cipher suites it can use to anonymous Diffie-Hellman [a cipher suite which is extremely insecure, by the way].
None of the Deffie-Hellman suites are supported by the Security Library, hence the 'no shared cipher' error.
To fix the problem, start the OpenSSL server using a valid RSA server certificate. |
by jimi posted on 2004/03/16 |
|
thx for your answer, though, i still have a problem. i try to connect to a TLS enabled server, but i always get this no shared cipher error too.
I'm able to connect to this server using openssl s_client:
openssl s_client -ign_eof -tls1 -cipher 'ALL:NULL:!MD5:@STRENGTH' -
connect ip:port
(the server doesn't takes MD5, just SHA)
but not with mentalis (no shared cipher error)
i'm not really sure what i'm doing wrong
again, thx for your help! |
by jimi posted on 2004/03/16 |
|
oh well; i found out i think
in fact i used that -nocert in openssl to mimic the server behavior and.. hmm just dicovered that it used this anonymous cipher by default.
So thx again for the answer!
time to google for this cipher probs :) |
by jimi posted on 2004/03/16 |
|
i feel stupid in the morning;)
evidently, without certs its vulnerable to man in the middle attacks, so the cipher isn't really usefull to theses applications .. |
by jimi posted on 2004/03/16 |
|
One last thing...
the server i'm connecting to plans to use certificate if available, but if the user don't set it up, it falls back to anonymous DH.
I'd like to be fully compatible with them then, hence my questions:
- Will you implement it in the library ?
- Is there any other library supporting it ?
- Is it "easy" to add if I needed to write support for it and document myself ?
Thanks a lot |
by Pieter Philippaerts [Pieter at mentalis dot org] posted on 2004/03/16 |
|
> Will you implement it in the library ?
No, we're not going to add new features to the library; we're only going to fix bugs. The reason for this is because .NET 1.2 will have an SslClientStream class and we don't want to spend a lot of time now implementing new features that will be obsolete in a few months.
> Is there any other library supporting it ?
Perhaps there are some commercial .NET SSL libraries that support this, but they're quite pricey.
>Is it "easy" to add if I needed to
> write support for it and document myself ?
That depends on the amount of experience you have with implementing security protocols, and SSL in particular. If you have no experience with this, it's quite difficult. |
|
|