some troubles with SSL: no shared ciphers
Added by c0da over 14 years ago
I try to use SSL in lighttpd-1.4.26 on ArchLinux with openssl-1.0.0a. The sequence of my actions follows.
I create the DSA key and certificate (it is not self-signed), and put them both into single file. I add following to the /etc/lighttpd/lighttpd.conf
:
$SERVER["socket"] == ":443" { ssl.engine = "enable" ssl.pemfile = "/etc/lighttpd/tls/certpair.pem" ssl.cipher-list = "TLSv1+HIGH:SSLv3+HIGH:!aNULL:!eNULL:!3DES:@STRENGTH" }
I check the certificate:
# openssl verify < /etc/lighttpd/tls/certpair.pem stdin: OK
and restart lighttpd. Everything should be fine, but when i try to connect to the server with openssl s_client i get:
$ openssl s_client -connect localhost:443 CONNECTED(00000003) 140340795717288:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:658: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 211 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE ---
Ok. 'Something is wrong' - i think. And try to clear things with ssldump, but that:
# ssldump -i lo port 443 New TCP connection #1: 0x01.imm.uran.ru(53425) <-> 195.19.144.11(443) 1 1 0.0008 (0.0008) C>S Handshake ClientHello Version 3.1 cipher suites Unknown value 0xc014 Unknown value 0xc00a Unknown value 0x39 Unknown value 0x38 Unknown value 0x88 Unknown value 0x87 Unknown value 0xc019 Unknown value 0x3a Unknown value 0x89 Unknown value 0xc00f Unknown value 0xc005 Unknown value 0x35 Unknown value 0x84 Unknown value 0xc012 Unknown value 0xc008 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA Unknown value 0xc017 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA Unknown value 0xc00d Unknown value 0xc003 TLS_RSA_WITH_3DES_EDE_CBC_SHA Unknown value 0xc013 Unknown value 0xc009 Unknown value 0x33 Unknown value 0x32 Unknown value 0x45 Unknown value 0x44 Unknown value 0xc018 Unknown value 0x34 Unknown value 0x46 Unknown value 0xc00e Unknown value 0xc004 Unknown value 0x2f Unknown value 0x41 Unknown value 0xff compression methods unknown value NULL 1 2 0.0019 (0.0011) S>C Alert level fatal value handshake_failure 1 0.0024 (0.0005) C>S TCP FIN 1 0.0026 (0.0002) S>C TCP FIN
does not help. lighttpd just disconnects, logging the message:
2010-08-26 17:06:30: (connections.c.294) SSL: 1 error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
That's it, i do not know what to do next. The same result i get in both cases (1) without ssl.cipher-list
option and (2) with s_client -cipher 'the-same-cipher-list-as-above'
:
$ openssl s_client -connect localhost:443 -cipher 'TLSv1+HIGH:SSLv3+HIGH:!aNULL:!eNULL:!3DES:@STRENGTH' CONNECTED(00000003) 3075466888:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:658: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 161 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE ---
Any help? Thanks in advance.
Replies (4)
RE: some troubles with SSL: no shared ciphers - Added by JustinK101 over 14 years ago
I think there was a SERIOUS bug in earlier versions of lighttpd. We had to upgrade to 1.4.28 to get SSL working properly.
RE: some troubles with SSL: no shared ciphers - Added by c0da over 14 years ago
I have upgraded to 1.4.28, but results are the same, except that 'no shared cipher' error emerges now in line 299 of connections.c. What else could be wrong in my setup? Could anyone, please, show the working lighttpd configuration with SSL?
RE: some troubles with SSL: no shared ciphers - Added by nitrox over 14 years ago
If you do not define a cipher-list it works? I mean you still can use openssl s_client -connect localhost:443 -cipher 'TLSv1+HIGH:SSLv3+HIGH:!aNULL:!eNULL:!3DES:@STRENGTH' to connect to lighty. If that still doesn´t work, there seems to be sth. wrong with your openssl, in which case i can´t really help, ask them about it. If it works, you maybe just want to define a few basic ciphers supported by most browsers.
RE: some troubles with SSL: no shared ciphers - Added by c0da over 14 years ago
I've tried both variats. Without cipher-list and with cipher specification for s_client. The both methods do not work. But it seems openssl is operational... hm... in some sense: i have postfix, dovecot and ejabberd running with SSL on the box, where i'd like to run lighty. Postfix successfully exchanges with different mail-hosts using SSL. And apache works fine with the certificates and keys i've prepared for lighttpd (but i like lighttpd, do not want apache).
Ok. If it is a bug, and i like to fix it, where i should look to? Or where i should ask where i should look to? :)