gSOAP SSL - converting existing code to ssl

Question

The earlier Version of this question got no Response, so I'm updating the entire Thing:

I have a test gSOAP Client and server on my machine. The client does an MTOM upload of various files to the server. When attempting to convert the code to ssl I get the following error:

The server reports:

"SSL_ERROR_SSL
error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher"

The client reports:

An SSL error occured
SOAP 1.2 fault SOAP-ENV:Receiver [no subcode]
"SSL_ERROR_SSL
error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure"
Detail: SSL_connect error in tcp_connect()

it runs without the "SSL" option. Can someone advise me as to what I'm doing wrong?

Applicable client code -

if(fSSL)
    soap_ssl_init();
. . .
soap_init1(&my_soap, SOAP_ENC_MTOM);  /* Enable MTOM */
. . .
if(fSSL)
{
    if (soap_ssl_client_context(&my_soap,
        SOAP_SSL_NO_AUTHENTICATION + SOAP_TLSv1_2,
        NULL, // client keyfile
        NULL, // passphrase for keyfile
        NULL, // certified authority certificate
        NULL, // directory for trusted certificates
        NULL))// random data for seed
        {
            soap_print_fault(&my_soap, stderr);
            ...
        }
}
...
long gsoap_status = soap_call___ns1__upload(&my_soap, endpoint.c_str(), NULL, &upload_parms, &upload_response);

Applicable server code -

if(fSSL)
    soap_ssl_init();
. . .
soap_init1(&my_soap, SOAP_ENC_MTOM);  /* Enable MTOM */
. . .
if(fSSL)
{
    if (soap_ssl_server_context(&my_soap,
        SOAP_SSL_NO_AUTHENTICATION + SOAP_TLSv1_2, // per EMAIL - option 1
        NULL,    // Keyfile - required for authentication
        NULL,    // passphrase
        NULL,    // password to read Keyfile
        NULL,    // optional cacert file
        NULL,    // DH Filename or DH key len bits
        NULL,    // Randfile
        NULL))   // optional server identification (enable SSL session cache)
        {
            soap_print_fault(&my_soap, stderr);
            exit(0);
        }
}
. . .
my_soap.connect_timeout = 20; 
my_soap.send_timeout = 60; 
my_soap.recv_timeout = 60; 
if(!soap_valid_socket(soap_bind(&my_soap, NULL, port, 100)))
{
    soap_print_fault(&my_soap, stderr);
    exit(1);
}
fprintf(stderr, "Bind to port %d successful\n", port);

// server loop starts
for (;;)
    printf("server loop sta\n");
    int t_socket = soap_accept(&my_soap);
    struct soap* t_soap = 0;   
    t_soap = soap_copy(&my_soap);       
    if(fSSL)
    {
        if(soap_ssl_accept(&my_soap))   <------ FAILS HERE
        {
            printf("NOT Accepting (ssl) socket=%d connection from IP: %d.%d.%d.%d ...", t_socket, 
                        (int)my_soap.ip>>24&0xFF,
                        (int)my_soap.ip>>16&0xFF,
                        (int)my_soap.ip>>8&0xFF,
                        (int)my_soap.ip&0xFF);            
            soap_print_fault(&my_soap, stderr);
            soap_destroy(&my_soap);
            soap_end(&my_soap);
            continue;
        }
    }
    . . .
    if(soap_serve(&my_soap))
        ...

Server Console output:

Bind to port 8080 successful
server loop sta
NOT Accepting (ssl) socket=364 connection from IP: 127.0.0.1 ...Error 30 fault is internal [no subcode]
"SSL_ERROR_SSL
error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher"
Detail: SSL_accept() failed in soap_ssl_accept()

Answer 1

I'm working on this now. I think the errors that you are seeing are because most/all distributions of openSSL do not support anonymous authentication any longer due to man in the middle attacks. A self-signed certificate on the server-side may be the only way to make these examples work.