OpenSSL version: OpenSSL 1.1.0g
Dev: lib libssl1.0-dev
Lang: C++
I have a client / server TCP socket application (C++, Linux). I have generated a self-signed certificate and both the client and the server are using the same certificate file (client and server are running on the same box).
To create certificate I run this command:
openssl genrsa -des3 -out server.key 2048
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
1/ When I implement SSL_CTX *ctx = SSL_CTX_new(SSLv23_method()) the connection works and data can be transported, when using the cipher list: "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"
2/ When I use the code: SSL_CTX *ctx = SSL_CTX_new(TLSv1_2_client_method()) The connection is not established and I get SSL_ERROR_SSL.
If I change the cipher list to "DHE-RSA-AES256-GCM-SHA384", which should work with TLS, it doesn’t help. I get the same error.
3/ When I run: openssl s_client -connect x.x.x.x:yy, while the server is running the version with SSLv23_method(), I get the following:
... New, TLSv1.2, Cipher is AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-GCM-SHA384
...
My question is:
A/ I want to be able to use the method = TLSv1_2_client_method(). Do I need to generate certificates with different command parameters?
B/ Why the openssl s_client in the case 3/ is using the protocol TLSv1.2, when the server protocol was defined with the method = SSLv23_method() ?
TLSv1_2_client_method()? This is not clear from the question. Furthermore,SSLv23_methodand related methods have been deprecated; I presume they simply forward toTLSv1_2_methoduntil they get removed altogether. – Maarten Bodewes