Does boost asio ssl support sslv3?
Hi, I've been running boost asio socket and sslv2 for many months, it works very well: server.cpp ontext_(boost::asio::ssl::context::sslv23) context_.set_options(boost::asio::ssl::context::default_workarounds | boost::asio::ssl::context::no_sslv2 | boost::asio::ssl::context::single_dh_use); context_.set_password_callback(boost::bind(&Server::get_password, this)); context_.use_certificate_chain_file("ssl/server.pem"); context_.use_private_key_file("ssl/server.pem", boost::asio::ssl::context::pem); context_.use_tmp_dh_file("ssl/dh2048.pem"); on client.cpp boost::asio::ssl::context context(boost::asio::ssl::context::sslv23); Recently we changed a nodejs server nodejs which using sslv3, the client failed to connect to server sslv3: Failed handshake: sslv3 alert handshake failure Any tips how to fix sslv3 handshake failure? Thank you. Kind regards, - jh
Op 09-10-19 om 12:40 schreef JH via Boost:
Failed handshake: sslv3 alert handshake failure
Any tips how to fix sslv3 handshake failure?
Are you using the appropriate `method` flag(s) initializing the SSL context? https://www.boost.org/doc/libs/1_64_0/doc/html/boost_asio/reference/ssl__con...
What version of OpenSSL are you using?
On Wed, Oct 9, 2019 at 3:40 AM JH via Boost
Hi,
I've been running boost asio socket and sslv2 for many months, it works very well:
server.cpp
ontext_(boost::asio::ssl::context::sslv23) context_.set_options(boost::asio::ssl::context::default_workarounds | boost::asio::ssl::context::no_sslv2 | boost::asio::ssl::context::single_dh_use); context_.set_password_callback(boost::bind(&Server::get_password, this)); context_.use_certificate_chain_file("ssl/server.pem"); context_.use_private_key_file("ssl/server.pem", boost::asio::ssl::context::pem); context_.use_tmp_dh_file("ssl/dh2048.pem");
on client.cpp boost::asio::ssl::context context(boost::asio::ssl::context::sslv23);
Recently we changed a nodejs server nodejs which using sslv3, the client failed to connect to server sslv3:
Failed handshake: sslv3 alert handshake failure
Any tips how to fix sslv3 handshake failure?
Thank you.
Kind regards,
- jh
_______________________________________________ Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost
-- Regards, Vinnie Follow me on GitHub: https://github.com/vinniefalco
On 10/9/19, Vinnie Falco
What version of OpenSSL are you using?
I am running a test program in ubutun 18, openssl 1.1.0g, in a real application in the ARM imx6, it is actually the openssl-conf - 1.1.1a-r0
From Seth: Are you using the appropriate `method` flag(s) initializing the SSL context?
I tried both sslv3 and ssv3_client, it got handshake error "Faied handshake: no protocols available" Which flag should be selected? Thanks Seth and Vinnie. - jh
Hi, Any tips what I could be missing for the error of "Handshake failed: no protocols available"? Using sslv23 in both server and client was fine, but when I changed it to use either sslv3, sslv3_client / sslv3_server, it get that error "Handshake failed: no protocols available". I am running the example code I downloaded from: https://www.boost.org/doc/libs/1_66_0/doc/html/boost_asio/example/cpp03/ssl/... https://www.boost.org/doc/libs/1_66_0/doc/html/boost_asio/example/cpp03/ssl/... Thank you. Kind regards, - jh
On 2019-10-14 02:09, JH via Boost wrote:
Hi,
Any tips what I could be missing for the error of "Handshake failed: no protocols available"?
Using sslv23 in both server and client was fine, but when I changed it to use either sslv3, sslv3_client / sslv3_server, it get that error "Handshake failed: no protocols available".
I think your question is more about OpenSSL rather than Boost.ASIO. The
function names for the TLS connection methods are misleading (for
historical reasons).
Both SSLv2 and SSLv3 are long outdated and insecure and are actually
removed from the recent OpenSSL versions. What SSLv23_method does is
actually negotiate the TLS version between the server and the client,
and the result will most certainly not be SSLv2 or SSLv3. In OpenSSL
1.1.0, IIRC, SSLv23_method was renamed to TLS_method, and SSLv23_method
was left as an alias.
SSLv3_method, as well as other
Thanks Andrey. change to use TLS did the trick.
On 10/14/19, Andrey Semashev via Boost
I think your question is more about OpenSSL rather than Boost.ASIO. The function names for the TLS connection methods are misleading (for historical reasons).
Both SSLv2 and SSLv3 are long outdated and insecure and are actually removed from the recent OpenSSL versions. What SSLv23_method does is actually negotiate the TLS version between the server and the client, and the result will most certainly not be SSLv2 or SSLv3. In OpenSSL 1.1.0, IIRC, SSLv23_method was renamed to TLS_method, and SSLv23_method was left as an alias.
SSLv3_method, as well as other
_method functions, instruct OpenSSL to use this specific protocol version only. Since SSLv3 is removed, I imagine using it would give you the result you're seeing. In general, unless you have a serious reason to, you should not use specific versions of TLS protocols since this will prevent your application from using more secure protocol versions as they are released. I would recommend using TLS_method (and its client/server variants) to allow protocol version negotiation and use SSL_CTX_set_min/max_proto_version to control the negotiated protocol versions, if needed. I'm not sure how that maps onto Boost.ASIO API.
https://www.openssl.org/docs/manmaster/man3/SSL_CTX_new.html
You're right, changing to use TLS did the trick. Thanks Andrey. - jh
participants (4)
-
Andrey Semashev -
JH -
Seth -
Vinnie Falco