From c3e1809f540db16c23fc74f06d6e8c29a4a6941a Mon Sep 17 00:00:00 2001
From: Steffan Karger <steffan@karger.me>
Date: Sat, 25 Oct 2014 20:49:26 +0200
Subject: openssl: add more descriptive message for 'no shared cipher' error

Overzealous users using the --tls-cipher option, or users with actual
incompatible crypto libaries often waste quite some time debugging the
'no shared cipher' error from openssl. See e.g. trac ticket #359:
https://community.openvpn.net/openvpn/ticket/359

This change adds a more clear, verb 1 error message reporting the problem
directly to the user, instead of just printing the openssl error.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <544EB12E.40200@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9209
Signed-off-by: Gert Doering <gert@greenie.muc.de>
---
 src/openvpn/crypto_openssl.c | 20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

(limited to 'src')

diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index 1bf6594..05214c0 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -42,9 +42,12 @@
 #include "integer.h"
 #include "crypto.h"
 #include "crypto_backend.h"
-#include <openssl/objects.h>
-#include <openssl/evp.h>
+
 #include <openssl/des.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/ssl.h>
 
 /*
  * Check for key size creepage.
@@ -200,7 +203,18 @@ crypto_print_openssl_errors(const unsigned int flags) {
   size_t err = 0;
 
   while ((err = ERR_get_error ()))
-    msg (flags, "OpenSSL: %s", ERR_error_string (err, NULL));
+    {
+      /* Be more clear about frequently occurring "no shared cipher" error */
+      if (err == ERR_PACK(ERR_LIB_SSL,SSL_F_SSL3_GET_CLIENT_HELLO,
+	  SSL_R_NO_SHARED_CIPHER))
+	{
+	  msg (D_CRYPT_ERRORS, "TLS error: The server has no TLS ciphersuites "
+	      "in common with the client. Your --tls-cipher setting might be "
+	      "too restrictive.");
+	}
+
+      msg (flags, "OpenSSL: %s", ERR_error_string (err, NULL));
+    }
 }
 
 
-- 
cgit