CODEWITHSUNDEEP
sslopensslssl-certificate
rodolk
rodolk

Reputation: 5907

"ssl3_get_client_hello:no shared cipher" in server depending on server certificate and key

I'm running a test with client and server using openssl. In my test, the server uses one pair (certificate, key) or other based on a parameter mode.

void configure_context(SSL_CTX *ctx, int mode)
{
    if (mode == 0) {
        /* Set the key and cert */
        if (SSL_CTX_use_certificate_file(ctx, "./test/certs/testcert2.pem", SSL_FILETYPE_PEM) < 0) {
            ERR_print_errors_fp(stderr);
            exit(EXIT_FAILURE);
        }

        if (SSL_CTX_use_PrivateKey_file(ctx, "test2.key", SSL_FILETYPE_PEM) < 0 ) {
            ERR_print_errors_fp(stderr);
            exit(EXIT_FAILURE);
        }
    } else {
        if (SSL_CTX_use_certificate_file(ctx, "cert.pem", SSL_FILETYPE_PEM) < 0) {
            ERR_print_errors_fp(stderr);
            exit(EXIT_FAILURE);
        }

        if (SSL_CTX_use_PrivateKey_file(ctx, "key.pem", SSL_FILETYPE_PEM) < 0 ) {
            ERR_print_errors_fp(stderr);
            exit(EXIT_FAILURE);
        }
    }
}

cert.pem is a self-signed certificate while testcert2 is signed with a CA (mine) key.

When I use cert.pem, everything works well and the server selects cipher TLS_RSA_WITH_AES_128_GCM_SHA256

When I use testcert2, I get error "ssl3_get_client_hello:no shared cipher" in the server.

  1. Is the selected cipher in the server dependent on the certificate and key?
  2. Could this error be due to something not related to the key?
  3. How can I check the ciphers that could be supported with certain key?

Thanks in advance for any response.

Upvotes: 1

Views: 4396

Answers (1)

Steffen Ullrich
Steffen Ullrich

Reputation: 123380

The choice of ciphers depends in part on the certificates, i.e. ciphers with RSA authentication need an RSA certificate, ciphers with ECDSA authentication an ECDSA certificate etc.

But another possibility is that the key and the certificate you load do not match each other. In this case no certificate can be used and it can only use ciphers with anonymous authentication. While your code loads the certificates it does not check if the key fits the certificate: use SSL_CTX_check_private_key for this.

Upvotes: 3

Related Questions