some troubles with SSL: no shared ciphers
Added by c0da over 14 years ago
I try to use SSL in lighttpd-1.4.26 on ArchLinux with openssl-1.0.0a. The sequence of my actions follows.
I create the DSA key and certificate (it is not self-signed), and put them both into single file. I add following to the /etc/lighttpd/lighttpd.conf:
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/tls/certpair.pem"
ssl.cipher-list = "TLSv1+HIGH:SSLv3+HIGH:!aNULL:!eNULL:!3DES:@STRENGTH"
}
I check the certificate:
# openssl verify < /etc/lighttpd/tls/certpair.pem stdin: OK
and restart lighttpd. Everything should be fine, but when i try to connect to the server with openssl s_client i get:
$ openssl s_client -connect localhost:443 CONNECTED(00000003) 140340795717288:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:658: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 211 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE ---
Ok. 'Something is wrong' - i think. And try to clear things with ssldump, but that:
# ssldump -i lo port 443
New TCP connection #1: 0x01.imm.uran.ru(53425) <-> 195.19.144.11(443)
1 1 0.0008 (0.0008) C>S Handshake
ClientHello
Version 3.1
cipher suites
Unknown value 0xc014
Unknown value 0xc00a
Unknown value 0x39
Unknown value 0x38
Unknown value 0x88
Unknown value 0x87
Unknown value 0xc019
Unknown value 0x3a
Unknown value 0x89
Unknown value 0xc00f
Unknown value 0xc005
Unknown value 0x35
Unknown value 0x84
Unknown value 0xc012
Unknown value 0xc008
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
Unknown value 0xc017
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
Unknown value 0xc00d
Unknown value 0xc003
TLS_RSA_WITH_3DES_EDE_CBC_SHA
Unknown value 0xc013
Unknown value 0xc009
Unknown value 0x33
Unknown value 0x32
Unknown value 0x45
Unknown value 0x44
Unknown value 0xc018
Unknown value 0x34
Unknown value 0x46
Unknown value 0xc00e
Unknown value 0xc004
Unknown value 0x2f
Unknown value 0x41
Unknown value 0xff
compression methods
unknown value
NULL
1 2 0.0019 (0.0011) S>C Alert
level fatal
value handshake_failure
1 0.0024 (0.0005) C>S TCP FIN
1 0.0026 (0.0002) S>C TCP FIN
does not help. lighttpd just disconnects, logging the message:
2010-08-26 17:06:30: (connections.c.294) SSL: 1 error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
That's it, i do not know what to do next. The same result i get in both cases (1) without ssl.cipher-list option and (2) with s_client -cipher 'the-same-cipher-list-as-above':
$ openssl s_client -connect localhost:443 -cipher 'TLSv1+HIGH:SSLv3+HIGH:!aNULL:!eNULL:!3DES:@STRENGTH' CONNECTED(00000003) 3075466888:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:658: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 161 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE ---
Any help? Thanks in advance.
Replies (4)
RE: some troubles with SSL: no shared ciphers - Added by JustinK101 over 14 years ago
I think there was a SERIOUS bug in earlier versions of lighttpd. We had to upgrade to 1.4.28 to get SSL working properly.
RE: some troubles with SSL: no shared ciphers - Added by c0da over 14 years ago
I have upgraded to 1.4.28, but results are the same, except that 'no shared cipher' error emerges now in line 299 of connections.c. What else could be wrong in my setup? Could anyone, please, show the working lighttpd configuration with SSL?
RE: some troubles with SSL: no shared ciphers - Added by nitrox over 14 years ago
If you do not define a cipher-list it works? I mean you still can use openssl s_client -connect localhost:443 -cipher 'TLSv1+HIGH:SSLv3+HIGH:!aNULL:!eNULL:!3DES:@STRENGTH' to connect to lighty. If that still doesn´t work, there seems to be sth. wrong with your openssl, in which case i can´t really help, ask them about it. If it works, you maybe just want to define a few basic ciphers supported by most browsers.
RE: some troubles with SSL: no shared ciphers - Added by c0da over 14 years ago
I've tried both variats. Without cipher-list and with cipher specification for s_client. The both methods do not work. But it seems openssl is operational... hm... in some sense: i have postfix, dovecot and ejabberd running with SSL on the box, where i'd like to run lighty. Postfix successfully exchanges with different mail-hosts using SSL. And apache works fine with the certificates and keys i've prepared for lighttpd (but i like lighttpd, do not want apache).
Ok. If it is a bug, and i like to fix it, where i should look to? Or where i should ask where i should look to? :)