diff options
author | Steffan Karger <steffan@karger.me> | 2014-10-25 20:49:26 +0200 |
---|---|---|
committer | Gert Doering <gert@greenie.muc.de> | 2014-12-31 15:26:13 +0100 |
commit | c3e1809f540db16c23fc74f06d6e8c29a4a6941a (patch) | |
tree | c4e45dc5580fc8d5ace5eb61a9e26c9939019d7e /src | |
parent | e795d6ba57e6e79bfae941ab048e44e47179865c (diff) | |
download | openvpn-c3e1809f540db16c23fc74f06d6e8c29a4a6941a.tar.gz openvpn-c3e1809f540db16c23fc74f06d6e8c29a4a6941a.tar.xz openvpn-c3e1809f540db16c23fc74f06d6e8c29a4a6941a.zip |
openssl: add more descriptive message for 'no shared cipher' error
Overzealous users using the --tls-cipher option, or users with actual
incompatible crypto libaries often waste quite some time debugging the
'no shared cipher' error from openssl. See e.g. trac ticket #359:
https://community.openvpn.net/openvpn/ticket/359
This change adds a more clear, verb 1 error message reporting the problem
directly to the user, instead of just printing the openssl error.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <544EB12E.40200@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9209
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Diffstat (limited to 'src')
-rw-r--r-- | src/openvpn/crypto_openssl.c | 20 |
1 files changed, 17 insertions, 3 deletions
diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index 1bf6594..05214c0 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -42,9 +42,12 @@ #include "integer.h" #include "crypto.h" #include "crypto_backend.h" -#include <openssl/objects.h> -#include <openssl/evp.h> + #include <openssl/des.h> +#include <openssl/err.h> +#include <openssl/evp.h> +#include <openssl/objects.h> +#include <openssl/ssl.h> /* * Check for key size creepage. @@ -200,7 +203,18 @@ crypto_print_openssl_errors(const unsigned int flags) { size_t err = 0; while ((err = ERR_get_error ())) - msg (flags, "OpenSSL: %s", ERR_error_string (err, NULL)); + { + /* Be more clear about frequently occurring "no shared cipher" error */ + if (err == ERR_PACK(ERR_LIB_SSL,SSL_F_SSL3_GET_CLIENT_HELLO, + SSL_R_NO_SHARED_CIPHER)) + { + msg (D_CRYPT_ERRORS, "TLS error: The server has no TLS ciphersuites " + "in common with the client. Your --tls-cipher setting might be " + "too restrictive."); + } + + msg (flags, "OpenSSL: %s", ERR_error_string (err, NULL)); + } } |