Does boost asio ssl support sslv3?

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Does boost asio ssl support sslv3?

Boost - Dev mailing list
Hi,

I've been running boost asio socket and sslv2 for many months, it
works very well:

server.cpp

ontext_(boost::asio::ssl::context::sslv23)
context_.set_options(boost::asio::ssl::context::default_workarounds |
boost::asio::ssl::context::no_sslv2 |
boost::asio::ssl::context::single_dh_use);
context_.set_password_callback(boost::bind(&Server::get_password, this));
context_.use_certificate_chain_file("ssl/server.pem");
context_.use_private_key_file("ssl/server.pem", boost::asio::ssl::context::pem);
context_.use_tmp_dh_file("ssl/dh2048.pem");

on client.cpp
boost::asio::ssl::context context(boost::asio::ssl::context::sslv23);

Recently we changed a nodejs server nodejs which using sslv3, the
client failed to connect to server sslv3:

Failed handshake: sslv3 alert handshake failure

Any tips how to fix sslv3 handshake failure?

Thank you.

Kind regards,

- jh

_______________________________________________
Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost
Reply | Threaded
Open this post in threaded view
|

Re: Does boost asio ssl support sslv3?

Boost - Dev mailing list
Op 09-10-19 om 12:40 schreef JH via Boost:
> Failed handshake: sslv3 alert handshake failure
>
> Any tips how to fix sslv3 handshake failure?

Are you using the appropriate `method` flag(s) initializing the SSL
context?
https://www.boost.org/doc/libs/1_64_0/doc/html/boost_asio/reference/ssl__context/method.html


_______________________________________________
Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost
Reply | Threaded
Open this post in threaded view
|

Re: Does boost asio ssl support sslv3?

Boost - Dev mailing list
In reply to this post by Boost - Dev mailing list
What version of OpenSSL are you using?

On Wed, Oct 9, 2019 at 3:40 AM JH via Boost <[hidden email]> wrote:

>
> Hi,
>
> I've been running boost asio socket and sslv2 for many months, it
> works very well:
>
> server.cpp
>
> ontext_(boost::asio::ssl::context::sslv23)
> context_.set_options(boost::asio::ssl::context::default_workarounds |
> boost::asio::ssl::context::no_sslv2 |
> boost::asio::ssl::context::single_dh_use);
> context_.set_password_callback(boost::bind(&Server::get_password, this));
> context_.use_certificate_chain_file("ssl/server.pem");
> context_.use_private_key_file("ssl/server.pem", boost::asio::ssl::context::pem);
> context_.use_tmp_dh_file("ssl/dh2048.pem");
>
> on client.cpp
> boost::asio::ssl::context context(boost::asio::ssl::context::sslv23);
>
> Recently we changed a nodejs server nodejs which using sslv3, the
> client failed to connect to server sslv3:
>
> Failed handshake: sslv3 alert handshake failure
>
> Any tips how to fix sslv3 handshake failure?
>
> Thank you.
>
> Kind regards,
>
> - jh
>
> _______________________________________________
> Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost



--
Regards,
Vinnie

Follow me on GitHub: https://github.com/vinniefalco

_______________________________________________
Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost
Reply | Threaded
Open this post in threaded view
|

Re: Does boost asio ssl support sslv3?

Boost - Dev mailing list
On 10/9/19, Vinnie Falco <[hidden email]> wrote:
> What version of OpenSSL are you using?

I am running a test program in ubutun 18, openssl 1.1.0g, in a real
application in the ARM imx6, it is actually the openssl-conf -
1.1.1a-r0

> From Seth: Are you using the appropriate `method` flag(s) initializing the SSL
context?

I tried both sslv3 and ssv3_client, it got handshake error "Faied
handshake: no protocols available"

Which flag should be selected?

Thanks Seth and Vinnie.

- jh

_______________________________________________
Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost
Reply | Threaded
Open this post in threaded view
|

Re: Does boost asio ssl support sslv3?

Boost - Dev mailing list
Hi,

Any tips what I could be missing for the error of "Handshake failed:
no protocols available"?

Using sslv23 in both server and client was fine, but when I changed it
to use either sslv3, sslv3_client / sslv3_server, it get that error
"Handshake failed: no protocols available".

I am running the example code I downloaded from:

https://www.boost.org/doc/libs/1_66_0/doc/html/boost_asio/example/cpp03/ssl/client.cpp
https://www.boost.org/doc/libs/1_66_0/doc/html/boost_asio/example/cpp03/ssl/server.cpp

Thank you.

Kind regards,

- jh

_______________________________________________
Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost
Reply | Threaded
Open this post in threaded view
|

Re: Does boost asio ssl support sslv3?

Boost - Dev mailing list
On 2019-10-14 02:09, JH via Boost wrote:
> Hi,
>
> Any tips what I could be missing for the error of "Handshake failed:
> no protocols available"?
>
> Using sslv23 in both server and client was fine, but when I changed it
> to use either sslv3, sslv3_client / sslv3_server, it get that error
> "Handshake failed: no protocols available".

I think your question is more about OpenSSL rather than Boost.ASIO. The
function names for the TLS connection methods are misleading (for
historical reasons).

Both SSLv2 and SSLv3 are long outdated and insecure and are actually
removed from the recent OpenSSL versions. What SSLv23_method does is
actually negotiate the TLS version between the server and the client,
and the result will most certainly not be SSLv2 or SSLv3. In OpenSSL
1.1.0, IIRC, SSLv23_method was renamed to TLS_method, and SSLv23_method
was left as an alias.

SSLv3_method, as well as other <something_specific>_method functions,
instruct OpenSSL to use this specific protocol version only. Since SSLv3
is removed, I imagine using it would give you the result you're seeing.

In general, unless you have a serious reason to, you should not use
specific versions of TLS protocols since this will prevent your
application from using more secure protocol versions as they are
released. I would recommend using TLS_method (and its client/server
variants) to allow protocol version negotiation and use
SSL_CTX_set_min/max_proto_version to control the negotiated protocol
versions, if needed. I'm not sure how that maps onto Boost.ASIO API.

https://www.openssl.org/docs/manmaster/man3/SSL_CTX_new.html

_______________________________________________
Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost
Reply | Threaded
Open this post in threaded view
|

Re: Does boost asio ssl support sslv3?

Boost - Dev mailing list
Thanks Andrey. change to use TLS did the trick.



On 10/14/19, Andrey Semashev via Boost <[hidden email]> wrote:

> I think your question is more about OpenSSL rather than Boost.ASIO. The
> function names for the TLS connection methods are misleading (for
> historical reasons).
>
> Both SSLv2 and SSLv3 are long outdated and insecure and are actually
> removed from the recent OpenSSL versions. What SSLv23_method does is
> actually negotiate the TLS version between the server and the client,
> and the result will most certainly not be SSLv2 or SSLv3. In OpenSSL
> 1.1.0, IIRC, SSLv23_method was renamed to TLS_method, and SSLv23_method
> was left as an alias.
>
> SSLv3_method, as well as other <something_specific>_method functions,
> instruct OpenSSL to use this specific protocol version only. Since SSLv3
> is removed, I imagine using it would give you the result you're seeing.
>
> In general, unless you have a serious reason to, you should not use
> specific versions of TLS protocols since this will prevent your
> application from using more secure protocol versions as they are
> released. I would recommend using TLS_method (and its client/server
> variants) to allow protocol version negotiation and use
> SSL_CTX_set_min/max_proto_version to control the negotiated protocol
> versions, if needed. I'm not sure how that maps onto Boost.ASIO API.
>
> https://www.openssl.org/docs/manmaster/man3/SSL_CTX_new.html

You're right, changing to use TLS did the trick.

Thanks Andrey.

- jh

_______________________________________________
Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost