No server certificate and “no shared cipher” when clients connect

0 投票
最新提问 用户: (260 分)

I am writing a SSL server and client for communication. I have the following code for server

SSL_CTX* InitServerCTX(void)
{       
   SSL_METHOD *method;
   SSL_CTX *ctx;
   SSL_library_init();
   OpenSSL_add_all_algorithms();        /* load & register all cryptos, etc. */
   SSL_load_error_strings();

  ERR_load_crypto_strings();
  OpenSSL_add_all_ciphers();

  ctx = SSL_CTX_new(SSLv23_server_method());            /* Create new context */
  if ( ctx == NULL )
  {
       ERR_print_errors_fp(stderr);
       abort();
  }

  SSL_CTX_set_cipher_list(ctx, "HIGH:MEDIUM:!eNULL:!aNULL:!RC4");

  return ctx;  }

After this the code for accept is

 int client = accept(server, (sockaddr*)&addr, &len);       /* accept  connection as usual */
 printf("Connection: %s:%d\n",
 inet_ntoa(addr.sin_addr), ntohs(addr.sin_port));
 ssl = SSL_new(ctx);                            /* get new SSL state with context */
 SSL_set_fd(ssl, client);
 int ret = SSL_accept(ssl); 

And here is the client code

SSL_CTX* InitCTX(void)
{   
    SSL_METHOD *method;
    SSL_CTX *ctx;
    SSL_library_init();
    OpenSSL_add_all_algorithms();       /* Load cryptos, et.al. */
    SSL_load_error_strings();           /* Bring in and register error messages */
    ctx = SSL_CTX_new(SSLv23_client_method());          /* Create new context */
    if ( ctx == NULL )
    {
        ERR_print_errors_fp(stderr);
        abort();
    }

    SSL_CTX_set_cipher_list(ctx, "HIGH:MEDIUM:!eNULL:!aNULL:!RC4");
    return ctx;
}

For connecting it is

ssl = SSL_new(ctx);                     /* create new SSL connection state */
SSL_set_fd(ssl, server);                /* attach the socket descriptor */
int ret = SSL_connect(ssl) ;

I am not using any certificates or keys.

When i try to connect using this approach i am getting no shared ciphers error on the server side. I think this is some configuration issue with respect to the ciphers. Can someone please point me the right direction.

Thanks

发表于 用户: (2.5k 分)
Typically, in this use case (no server auth), you use Anonymous Diffie-Hellman (ADH) or EC Anonymous Diffie-Hellman (ECADH). You should remove the !aNULL from the cipher suite list at both the client and server. Some user agents, like browsers, will not accept it. A related topic is opportunistic encryption. It is used in use cases like MTAs and mail servers, and it may be applicable in your use case.

1个回答

0 投票
最新回答 用户: (2.1k 分)
 SSL_CTX_set_cipher_list(ctx, "HIGH:MEDIUM:!eNULL:!aNULL:!RC4");

I am not using any certificates or keys.

Since you neither use certificates nor SRP the only possible ciphers are thus where no authentication of the server is done. But you did explicitly exclude these ciphers with !aNULL in both client and server. This means that none of the ciphers offered by the client or accepted by the server is able to work with no authentication which results in "no shared ciphers". From the documentation of ciphers:

aNULL
the cipher suites offering no authentication. This is currently the anonymous DH algorithms. These cipher suites are vulnerable to a "man in the middle" attack and so their use is normally discouraged.

发表于 用户: (100 分)
To expand on this, openssl doesn't error about a lot of bad configurations. You'll get the 'no shared ciphers' when your certificates/cipher list/cipher-specific-configurations don't match up. If you're just doing some quick testing follow stackoverflow.com/questions/10175812/… to make some certs, then pass them to SSL_CTX_use_certificate_chain_file, SSL_CTX_use_PrivateKey_file and SSL_CTX_load_verify_locations
发表于 用户: (260 分)
so if i allow all ciphers and dont specify the above line..will it allow me to connect?
发表于 用户: (2.1k 分)
@kunal: if you allow all ciphers or just aNULL in both client and server it will probably work or at least not result in this error (did not take a closer look at the rest of the code). But beware that this is highly insecure, i.e. man in the middle attack is easy unless you add some kind of proper server authentication.
发表于 用户: (100 分)
You need to specifically enable them by removing the ! in front of the aNULL cipher group, since these ciphers are disabled by default. You should not do this. Instead set up some certificates for internal testing, or use the preshared key ciphers.
发表于 用户: (260 分)
@SteffenUllrich i just want to test session negotiation to highest protocol supported and not use any version specific methods..i will update the code to secure ciphers once i am able to establish this
欢迎来到 Security Q&A ,有什么不懂的可以尽管在这里提问,你将会收到社区其他成员的回答。
...