Error from src bufferevent about sslsplit HOT 7 OPEN

Note first that your compiled and rtlinked OpenSSL versions do not match. You should have the same version for both.

I think the error says that the client and sslsplit could not agree on a cipher. sslsplit does not write an "SSL connected from" log for the client.

But, I wonder what the client application is here, which web browser?

from sslsplit.

I've installed it via "brew install sslsplit"
Client is embedded on ARM M3

Server side is free to test

Can it be related to wrong CA cert ?

from sslsplit.

OpenSSL 1.1.0+ versions have removed weak (e.g. export grade) ciphers. See this link and search for the word removed. I think the ciphers on OpenSSL 1.1.1h/j are stronger than the ones the embedded device supports, hence they cannot agree on it.

I doubt you can upgrade the ssl engine on the embedded device (now I wonder what its ssl engine is). Can you downgrade the OpenSSL on your mac? (I don't think weak ciphers can be enabled on OpenSSL 1.1.0+.)

Btw, it always amazes me to hear compiled and rtlinked version issues with openssl on osx.

from sslsplit.

Perhaps you can rebuild OpenSSL 1.1.1 with the enable-weak-ssl-ciphers option.

from sslsplit.

Great Idea. I will try and let you know. Maybe sslsplit can improve warning messages in such cases.

from sslsplit.

I sniffed working communication and negotiated params was
TLS 1.2
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)

/usr/local/Cellar/[email protected]/1.1.1j/bin/openssl ciphers -V |grep 0xC0.0x23 0xC0,0x23 - ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256
So I believe it is quite decent

How sslsplit will behave when client do not accept CA ?

from sslsplit.

The openssl alert must be something like "bad certificate", "unknown CA", or "certificate unknown", if the client complains about the CA cert used for forging by sslsplit. See the OpenSSL docs.

from sslsplit.