You signed in with another tab or window.
Reload
to refresh your session.
You signed out in another tab or window.
Reload
to refresh your session.
You switched accounts on another tab or window.
Reload
to refresh your session.
I need to enable SSLv3_method building OpenSSL c++ in windows in Visual Studio. I open The VS2015 Native command prompt and I configure project with
perl Configure VC-WIN64A -no-shared -no-module -enable-ssl3-method
the -enable-ssl3-method should enable the SSLv3_method but it doesn't. Where do I wrong?
You definitely need to set the SECLEVEL=0. The ciphers in the default configuration were also changed in 3.0.
Maybe you also need to set some legacy weak ciphersuites to be able to communicate with the server?
I'm using OpenSSL 3.0 LTS (
de90e54
) built for win64 using VS2015. Previous version was 1.0.2u and with that version the connection works.
I'm doing connection with
SSL_connect(SSL *ssl)
the context was created with
ssl_context = SSL_CTX_new(SSLv3_method());
I'm forced to use SSLv3_method in order to be compatible with legacy version of one of our old software.
My application is the client.
SSLv3_pcapng_wireshark.txt
You need to set the security level to 0. SSLv3 will not work at the default security level. Call
SSL_set_security_level(ssl, 0)
before calling
SSL_connect
.
I would also recommend that you change
SSLv3_method()
to
TLS_method()
. The old
SSLv3_method()
function is deprecated.
TLS_method()
will negotiate the highest protocol version that is available. If only SSLv3 is available it will use that so it is still suitable for your scenario.
I tried with TLS_method() and it negotiates the SSLv3, but SSLv3 still not work also calling
SSL_set_security_level(ssl, 0)
the error is the same as before.
After the connection fails please try printing out any errors on the OpenSSL error stack, e.g.
BIO *errbio = BIO_new_file("errs.log", "w");
ERR_print_errors(errbio);
Post any errors you see here.
BIO* errbio = BIO_new_file("errs.log", "w");
if (BIO_write_filename(errbio, (void*)"errs.log") <= 0) {
printf("error opening file.\n");
while (((err = SSL_connect(connection)) != 1) && (attempt < 6))
++attempt;
ERR_print_errors(errbio);
BIO_free(errbio);
SLEEP(1000);
the connection still fail but errs.log is empty. Am I wrong something?
You shouldn't need to call BIO_write_filename above. Remove those lines.
Please add printf("SSL_get_error(connection, err) is %d\n", SSL_get_error(connection, err)); into your "while" loop.
Are you using a blocking or non-blocking socket?
SSL_get_error(connection, err) is 2
Does it continue to report the same value for all iterations of your loop?
When working with non-blocking sockets you need to use SSL_get_error() to determine what action to take in the event of an IO operation failing. See the man page here:
https://www.openssl.org/docs/man3.0/man3/SSL_get_error.html
A value of 2 corresponds to SSL_ERROR_WANT_READ, which is described on the man page as:
SSL_ERROR_WANT_READ is returned when the last operation was a read operation from a nonblocking BIO. It means that not enough data was available at this time to complete the operation. If at a later time the underlying BIO has data available for reading the same function can be called again.
In other words, SSL_ERROR_WANT_READ, is not a permanent error - it just means the peer (i.e. the server in this case) hasn't sent us enough data yet. You should check the underlying socket for readability and call SSL_connect() again when it is readable.
You definitely need to set the SECLEVEL=0. The ciphers in the default configuration were also changed in 3.0.
Maybe you also need to set some legacy weak ciphersuites to be able to communicate with the server?
