Overzealous users using the --tls-cipher option, or users with actual
incompatible crypto libaries often waste quite some time debugging the
'no shared cipher' error from openssl. See e.g. trac ticket #359:
https://community.openvpn.net/openvpn/ticket/359
This change adds a more clear, verb 1 error message reporting the problem
directly to the user, instead of just printing the openssl error.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <544EB12E.40200@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9209
Signed-off-by: Gert Doering <gert@greenie.muc.de>
... | ... |
@@ -42,9 +42,12 @@ |
42 | 42 |
#include "integer.h" |
43 | 43 |
#include "crypto.h" |
44 | 44 |
#include "crypto_backend.h" |
45 |
-#include <openssl/objects.h> |
|
46 |
-#include <openssl/evp.h> |
|
45 |
+ |
|
47 | 46 |
#include <openssl/des.h> |
47 |
+#include <openssl/err.h> |
|
48 |
+#include <openssl/evp.h> |
|
49 |
+#include <openssl/objects.h> |
|
50 |
+#include <openssl/ssl.h> |
|
48 | 51 |
|
49 | 52 |
/* |
50 | 53 |
* Check for key size creepage. |
... | ... |
@@ -200,7 +203,18 @@ crypto_print_openssl_errors(const unsigned int flags) { |
200 | 200 |
size_t err = 0; |
201 | 201 |
|
202 | 202 |
while ((err = ERR_get_error ())) |
203 |
- msg (flags, "OpenSSL: %s", ERR_error_string (err, NULL)); |
|
203 |
+ { |
|
204 |
+ /* Be more clear about frequently occurring "no shared cipher" error */ |
|
205 |
+ if (err == ERR_PACK(ERR_LIB_SSL,SSL_F_SSL3_GET_CLIENT_HELLO, |
|
206 |
+ SSL_R_NO_SHARED_CIPHER)) |
|
207 |
+ { |
|
208 |
+ msg (D_CRYPT_ERRORS, "TLS error: The server has no TLS ciphersuites " |
|
209 |
+ "in common with the client. Your --tls-cipher setting might be " |
|
210 |
+ "too restrictive."); |
|
211 |
+ } |
|
212 |
+ |
|
213 |
+ msg (flags, "OpenSSL: %s", ERR_error_string (err, NULL)); |
|
214 |
+ } |
|
204 | 215 |
} |
205 | 216 |
|
206 | 217 |
|