Project

General

Profile

some troubles with SSL: no shared ciphers

Added by c0da over 13 years ago

I try to use SSL in lighttpd-1.4.26 on ArchLinux with openssl-1.0.0a. The sequence of my actions follows.

I create the DSA key and certificate (it is not self-signed), and put them both into single file. I add following to the /etc/lighttpd/lighttpd.conf:

$SERVER["socket"] == ":443" {
        ssl.engine = "enable" 
        ssl.pemfile = "/etc/lighttpd/tls/certpair.pem" 
        ssl.cipher-list = "TLSv1+HIGH:SSLv3+HIGH:!aNULL:!eNULL:!3DES:@STRENGTH" 
}

I check the certificate:

# openssl verify < /etc/lighttpd/tls/certpair.pem 
stdin: OK

and restart lighttpd. Everything should be fine, but when i try to connect to the server with openssl s_client i get:

$ openssl s_client -connect localhost:443
CONNECTED(00000003)
140340795717288:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:658:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 211 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

Ok. 'Something is wrong' - i think. And try to clear things with ssldump, but that:

# ssldump -i lo port 443
New TCP connection #1: 0x01.imm.uran.ru(53425) <-> 195.19.144.11(443)
1 1  0.0008 (0.0008)  C>S  Handshake
      ClientHello
        Version 3.1 
        cipher suites
        Unknown value 0xc014
        Unknown value 0xc00a
        Unknown value 0x39
        Unknown value 0x38
        Unknown value 0x88
        Unknown value 0x87
        Unknown value 0xc019
        Unknown value 0x3a
        Unknown value 0x89
        Unknown value 0xc00f
        Unknown value 0xc005
        Unknown value 0x35
        Unknown value 0x84
        Unknown value 0xc012
        Unknown value 0xc008
        TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
        TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
        Unknown value 0xc017
        TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
        Unknown value 0xc00d
        Unknown value 0xc003
        TLS_RSA_WITH_3DES_EDE_CBC_SHA
        Unknown value 0xc013
        Unknown value 0xc009
        Unknown value 0x33
        Unknown value 0x32
        Unknown value 0x45
        Unknown value 0x44
        Unknown value 0xc018
        Unknown value 0x34
        Unknown value 0x46
        Unknown value 0xc00e
        Unknown value 0xc004
        Unknown value 0x2f
        Unknown value 0x41
        Unknown value 0xff
        compression methods
                unknown value
                  NULL
1 2  0.0019 (0.0011)  S>C  Alert
    level           fatal
    value           handshake_failure
1    0.0024 (0.0005)  C>S  TCP FIN
1    0.0026 (0.0002)  S>C  TCP FIN

does not help. lighttpd just disconnects, logging the message:

2010-08-26 17:06:30: (connections.c.294) SSL: 1 error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher

That's it, i do not know what to do next. The same result i get in both cases (1) without ssl.cipher-list option and (2) with s_client -cipher 'the-same-cipher-list-as-above':

$ openssl s_client -connect localhost:443 -cipher 'TLSv1+HIGH:SSLv3+HIGH:!aNULL:!eNULL:!3DES:@STRENGTH'
CONNECTED(00000003)
3075466888:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:658:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 161 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

Any help? Thanks in advance.


Replies (4)

RE: some troubles with SSL: no shared ciphers - Added by JustinK101 over 13 years ago

I think there was a SERIOUS bug in earlier versions of lighttpd. We had to upgrade to 1.4.28 to get SSL working properly.

RE: some troubles with SSL: no shared ciphers - Added by c0da over 13 years ago

I have upgraded to 1.4.28, but results are the same, except that 'no shared cipher' error emerges now in line 299 of connections.c. What else could be wrong in my setup? Could anyone, please, show the working lighttpd configuration with SSL?

RE: some troubles with SSL: no shared ciphers - Added by nitrox over 13 years ago

If you do not define a cipher-list it works? I mean you still can use openssl s_client -connect localhost:443 -cipher 'TLSv1+HIGH:SSLv3+HIGH:!aNULL:!eNULL:!3DES:@STRENGTH' to connect to lighty. If that still doesn´t work, there seems to be sth. wrong with your openssl, in which case i can´t really help, ask them about it. If it works, you maybe just want to define a few basic ciphers supported by most browsers.

RE: some troubles with SSL: no shared ciphers - Added by c0da over 13 years ago

I've tried both variats. Without cipher-list and with cipher specification for s_client. The both methods do not work. But it seems openssl is operational... hm... in some sense: i have postfix, dovecot and ejabberd running with SSL on the box, where i'd like to run lighty. Postfix successfully exchanges with different mail-hosts using SSL. And apache works fine with the certificates and keys i've prepared for lighttpd (but i like lighttpd, do not want apache).

Ok. If it is a bug, and i like to fix it, where i should look to? Or where i should ask where i should look to? :)

    (1-4/4)