News  [SoftwareSite

Latest News
Older News
RSS Feed
 
Complete Projects
Useful Classes
Top Downloads
Message Board
AllAPI.net
 
Send Comments
Software License
Mentalis.org Buttons
Donate
 
Forums -> Security Library Forum
 
no shared cipher  
by jimi
posted on 2004/03/15

Hi,
i started using your TLS implementation, however, i always get a reply from openssl server: no shared cipher.
I use
options.AllowedAlgorithms = SslAlgorithms.ALL;
openssl is started like:
openssl
OpenSSL> s_server -msg -debug -accept 5000 -nocert -tls1
openssl log:
ACCEPT
read from 080B3B60 [080B9158] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 2d ....-
read from 080B3B60 [080B915D] (45 bytes => 45 (0x2D))
0000 - 01 00 00 29 03 01 40 56-32 b3 1a 24 d7 15 5b 4f ...)..@V2..$..[O
0010 - 3a 4a 31 0a 59 23 5f ee-0a 54 d7 61 1d e5 57 50 :J1.Y#_..T.a..WP
0020 - e9 05 32 d0 d2 61 00 00-02 00 05 01 ..2..a......
002d - <SPACES/NULS>
<<< TLS 1.0 Handshake [length 002d], ClientHello
01 00 00 29 03 01 40 56 32 b3 1a 24 d7 15 5b 4f
3a 4a 31 0a 59 23 5f ee 0a 54 d7 61 1d e5 57 50
e9 05 32 d0 d2 61 00 00 02 00 05 01 00
write to 080B3B60 [080C32C8] (7 bytes => 7 (0x7))
0000 - 15 03 01 00 02 02 28 ......(
>>> TLS 1.0 Alert [length 0002], fatal handshake_failure
02 28
ERROR
6770:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:886:
shutting down SSL

thx for your help or suggestions :)

by Pieter Philippaerts [Pieter at mentalis dot org]
posted on 2004/03/15

Using the 'nocert' parameter when starting OpenSSL restricts the cipher suites it can use to anonymous Diffie-Hellman [a cipher suite which is extremely insecure, by the way].
None of the Deffie-Hellman suites are supported by the Security Library, hence the 'no shared cipher' error.
To fix the problem, start the OpenSSL server using a valid RSA server certificate.

by jimi
posted on 2004/03/16

thx for your answer, though, i still have a problem. i try to connect to a TLS enabled server, but i always get this no shared cipher error too.
I'm able to connect to this server using openssl s_client:
openssl s_client -ign_eof -tls1 -cipher 'ALL:NULL:!MD5:@STRENGTH' -
connect ip:port
(the server doesn't takes MD5, just SHA)
but not with mentalis (no shared cipher error)
i'm not really sure what i'm doing wrong
again, thx for your help!

by jimi
posted on 2004/03/16

oh well; i found out i think
in fact i used that -nocert in openssl to mimic the server behavior and.. hmm just dicovered that it used this anonymous cipher by default.

So thx again for the answer!

time to google for this cipher probs :)

by jimi
posted on 2004/03/16

i feel stupid in the morning;)
evidently, without certs its vulnerable to man in the middle attacks, so the cipher isn't really usefull to theses applications ..

by jimi
posted on 2004/03/16

One last thing...

the server i'm connecting to plans to use certificate if available, but if the user don't set it up, it falls back to anonymous DH.

I'd like to be fully compatible with them then, hence my questions:
- Will you implement it in the library ?
- Is there any other library supporting it ?
- Is it "easy" to add if I needed to write support for it and document myself ?

Thanks a lot

by Pieter Philippaerts [Pieter at mentalis dot org]
posted on 2004/03/16

> Will you implement it in the library ?

No, we're not going to add new features to the library; we're only going to fix bugs. The reason for this is because .NET 1.2 will have an SslClientStream class and we don't want to spend a lot of time now implementing new features that will be obsolete in a few months.

> Is there any other library supporting it ?

Perhaps there are some commercial .NET SSL libraries that support this, but they're quite pricey.

>Is it "easy" to add if I needed to
> write support for it and document myself ?

That depends on the amount of experience you have with implementing security protocols, and SSL in particular. If you have no experience with this, it's quite difficult.

 

Copyright © 2002-2007, The Mentalis.org Team. All rights reserved.
This site is located at http://www.mentalis.org/
Send comments to the webmaster.