Search code examples
windowssslopensslx509pkix

OpenSSL for 64-bit Windows and "no shared cipher"

I have just compiled and installed OpenSSL for 64-bit Windows. I have created a self-signed certificate and a private key with the command:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 10000 -nodes

I am now testing the "Simple TLS Server" example found at OpenSSL Wiki with Firefox and a couple of modifications to support Winsock, but I keep getting the error

11216:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:ssl\statem\statem_srvr.c:1422:

(the first number always varies) during the execution of the SSL_accept() function. I have checked the list of (11) ciphers sent by Firefox (v 43.0.1) in its TLS v1.2 Client Hello when connecting to some HTTPS server using Wireshark (because capturing on localhost is difficult) and compared it to the ones supported by my installation of OpenSSL (found using openssl.exe ciphers -s -tls1_2 -V). The result is that there are common ciphers, so what am I missing?!

The block containing the line 1422 of statem_srvr.c is the following, starting with 1420:

if (cipher == NULL) {
    SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
           SSL_R_NO_SHARED_CIPHER);
    goto f_err;
}

The modifications to the original code are before the while loop and in the headers:

#pragma comment(lib,"Ws2_32.lib")
#include <stdio.h>
#include <winerror.h>
#include <WinSock2.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/applink.c>

and

int sock;
SSL_CTX *ctx;

WSADATA WsaDat;
if (WSAStartup(MAKEWORD(2, 2), &WsaDat) != 0) perror("Winsock fatal startup error");
init_openssl();
ctx = create_context();
configure_context(ctx);

sock = create_socket(4433);

Edit: This is what happens when I try to connect to the server using s_client with TLSv1.2:

CONNECTED(000000F0)
23368:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl\record\rec_layer_s3.c:1362:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 176 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1473536238
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
Solution

  • As it turns out, there was a problem with finding the certificate and private key. Problem solved.