Hi,
Have anyone successfully started a https server with the latest hunchentoot?
For some reason I'm getting a "no shared cipher" error. I hoped that I'm not making stupid mistake with the ssl setup.
# To generate a key $ openssl genrsa 1024 > server.key
# To generate a Certificate Signing Request $openssl req -new -key server.key > server.csr
# self-sign cert $openssl req -x509 -key server.key -in server.csr > server.crt
(asdf:oos 'asdf:load-op :hunchentoot-test)
(hunchentoot:start-server :port 4443 :ssl-certificate-file "server.crt")
(setq hunchentoot:*catch-errors-p* nil)
When I point firefox to https://localhost:4443/, a error dialog pops up:
`Firefox and localhost cannot communicate securely because they have no common encryption algorithms.'
I'm using lispworks 5.0.2 32-bit pro.
This happens in both fedora core 6 and winxp. I used the precompiled ssl package found here : http://www.slproweb.com/download/Win32OpenSSL-0_9_8e.exe
Here's the backtrace:
SSL failure in #<COMM:SOCKET-STREAM 2009956F>: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher [Condition of type COMM:SSL-FAILURE]
Restarts: 0: [ABORT] Quit process.
Backtrace: 0: SIGNAL (#<COMM:SSL-FAILURE 2009C333> &REST NIL) 1: CONDITIONS::CONDITIONS-ERROR (:INVISIBLEP T COMM:SSL-FAILURE (:STREAM #1=#<COMM:SOCKET-STREAM 2009956F> :FORMAT-STRING "SSL failure in ~s: ~a" :FORMAT-ARGUMENTS (#1# "error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher"))) 2: COMM::SSL-READ-OR-WRITE-BUFFER (#<COMM:SOCKET-STREAM 2009956F> T "ULT-DISPATCHERB@HC9 3: (METHOD STREAM:STREAM-FILL-BUFFER (STREAM:BUFFERED-STREAM)) (#<COMM:SOCKET-STREAM 2009956F>) 4: (METHOD STREAM:STREAM-READ-CHAR (STREAM:BUFFERED-STREAM)) (#<COMM:SOCKET-STREAM 2009956F>) 5: (METHOD STREAM:STREAM-READ-BYTE (COMM:SOCKET-STREAM)) (#<COMM:SOCKET-STREAM 2009956F>) 6: READ-BYTE (#<COMM:SOCKET-STREAM 2009956F> &OPTIONAL "<(EOF-ERROR-P T)>" :EOF) 7: READ-BYTE (#<CHUNGA:CHUNKED-IO-STREAM 2009BE8F> &OPTIONAL "<(EOF-ERROR-P T)>" NIL) 8: (METHOD FLEXI-STREAMS::READ-BYTE* (FLEXI-STREAMS::FLEXI-BINARY-INPUT-STREAM)) (#<FLEXI-STREAMS::FLEXI-BINARY-LATIN-1-IO-STREAM 2009BDF7>) 9: (METHOD STREAM:STREAM-READ-CHAR (FLEXI-STREAMS::FLEXI-LATIN-1-INPUT-STREAM)) (#<FLEXI-STREAMS::FLEXI-BINARY-LATIN-1-IO-STREAM 2009BDF7>) 10: READ-CHAR (&OPTIONAL "<(STREAM *STANDARD-INPUT*)>" "<(EOF-ERROR-P T)>" NIL :DONT-KNOW) 11: CHUNGA:READ-LINE* (#<FLEXI-STREAMS::FLEXI-BINARY-LATIN-1-IO-STREAM 2009BDF7> &OPTIONAL NIL) 12: HUNCHENTOOT::GET-REQUEST-DATA NIL 13: HUNCHENTOOT::PROCESS-CONNECTION (#<HUNCHENTOOT::SERVER 200A3EEF> 420) 14: (SUBFUNCTION MP::PROCESS-SG-FUNCTION MP::INITIALIZE-PROCESS-STACK) (:DONT-KNOW) 15: SYSTEM::%%FIRST-CALL-TO-STACK NIL
Regards, -- Mac
So it turns out that it was indeed a stupid mistake :(
I forgot to supply the :ssl-privatekey-file keyword argument.
SBCL (using CL+SSL) gives much more descriptive error message and that's how I track down the problem.
Sorry for the false alarm !
Regards, -- Mac
On 7/8/07, Mac Chan emailmac@gmail.com wrote:
Hi,
Have anyone successfully started a https server with the latest hunchentoot?
For some reason I'm getting a "no shared cipher" error. I hoped that I'm not making stupid mistake with the ssl setup.
# To generate a key $ openssl genrsa 1024 > server.key
# To generate a Certificate Signing Request $openssl req -new -key server.key > server.csr
# self-sign cert $openssl req -x509 -key server.key -in server.csr > server.crt
(asdf:oos 'asdf:load-op :hunchentoot-test)
(hunchentoot:start-server :port 4443 :ssl-certificate-file "server.crt")
(setq hunchentoot:*catch-errors-p* nil)
When I point firefox to https://localhost:4443/, a error dialog pops up:
`Firefox and localhost cannot communicate securely because they have no common encryption algorithms.'
On Mon, 2007-07-09 at 11:52 -0700, Mac Chan wrote:
So it turns out that it was indeed a stupid mistake :(
I forgot to supply the :ssl-privatekey-file keyword argument.
SBCL (using CL+SSL) gives much more descriptive error message and that's how I track down the problem.
Hey, we should save this message for all these people that complain about SBCL's over-verboseness ... ;-) BTW - oversight isn't stupidity.
Cheers, RalfD
-
Mac Chan -
Ralf Mattes