Browse code
openssl: add more descriptive message for 'no shared cipher' error
Overzealous users using the --tls-cipher option, or users with actual
incompatible crypto libaries often waste quite some time debugging the
'no shared cipher' error from openssl. See e.g. trac ticket #359:
https://community.openvpn.net/openvpn/ticket/359
This change adds a more clear, verb 1 error message reporting the problem
directly to the user, instead of just printing the openssl error.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <544EB12E.40200@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9209
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger authored on 2014/10/26 03:49:26Showing 1 changed files
| ... | ... |
@@ -42,9 +42,12 @@ |
| 42 | 42 |
#include "integer.h" |
| 43 | 43 |
#include "crypto.h" |
| 44 | 44 |
#include "crypto_backend.h" |
| 45 |
-#include <openssl/objects.h> |
|
| 46 |
-#include <openssl/evp.h> |
|
| 45 |
+ |
|
| 47 | 46 |
#include <openssl/des.h> |
| 47 |
+#include <openssl/err.h> |
|
| 48 |
+#include <openssl/evp.h> |
|
| 49 |
+#include <openssl/objects.h> |
|
| 50 |
+#include <openssl/ssl.h> |
|
| 48 | 51 |
|
| 49 | 52 |
/* |
| 50 | 53 |
* Check for key size creepage. |
| ... | ... |
@@ -200,7 +203,18 @@ crypto_print_openssl_errors(const unsigned int flags) {
|
| 200 | 200 |
size_t err = 0; |
| 201 | 201 |
|
| 202 | 202 |
while ((err = ERR_get_error ())) |
| 203 |
- msg (flags, "OpenSSL: %s", ERR_error_string (err, NULL)); |
|
| 203 |
+ {
|
|
| 204 |
+ /* Be more clear about frequently occurring "no shared cipher" error */ |
|
| 205 |
+ if (err == ERR_PACK(ERR_LIB_SSL,SSL_F_SSL3_GET_CLIENT_HELLO, |
|
| 206 |
+ SSL_R_NO_SHARED_CIPHER)) |
|
| 207 |
+ {
|
|
| 208 |
+ msg (D_CRYPT_ERRORS, "TLS error: The server has no TLS ciphersuites " |
|
| 209 |
+ "in common with the client. Your --tls-cipher setting might be " |
|
| 210 |
+ "too restrictive."); |
|
| 211 |
+ } |
|
| 212 |
+ |
|
| 213 |
+ msg (flags, "OpenSSL: %s", ERR_error_string (err, NULL)); |
|
| 214 |
+ } |
|
| 204 | 215 |
} |
| 205 | 216 |
|
| 206 | 217 |
|