Python SSL - No Shared Ciphers



  • I am using a custom Python build, with the liboqs-openssl which is encapsulating pq-algorithms. I generated the certificates using the provided dilithium2 algorithm and wanted to create a simple SSL connection with a Python client and server.

    Simplified client:

    context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    context.load_verify_locations('.../quantum-safe-chat/pqca/ca/dilithium2_CA.crt')
    _socket = socket(AF_INET, SOCK_STREAM, 0)
    _socket = context.wrap_socket(_socket, server_hostname=hostname)
    _socket.connect(address)
    

    Simplified server:

    context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
    context.load_cert_chain(certfile='.../quantum-safe-chat/pqca/server/dilithium2_srv.crt',
                            keyfile='.../quantum-safe-chat/pqca/server/dilithium2_srv.key')
    server = socket(AF_INET, SOCK_STREAM, 0)
    server.bind(self.__address)
    server = context.wrap_socket(self.__server, server_side=True)
    

    Now when I try to run the server and the client, I get the client error ssl.SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1129) and the server error ssl.SSLError: [SSL: NO_SHARED_CIPHER] no shared cipher (_ssl.c:1129).

    I already tried printing out the ciphers with context.get_ciphers() on both ends, where they were identical. Also I tried manually setting it to the same cipher on both ends with context.set_ciphers('ECDHE-RSA-AES256-GCM-SHA384') which only gives me the same result.

    Does anyone have an idea what the issue might be?



  • I'm not familiar with libqs-openssl, but

    • The documentation clearly says that the necessary cipher support is for TLS 1.3, while your code insists on using TLS 1.2
    • You are trying to use ciphers which require RSA certificate, even though you don't have a RSA certificate

    This together means that there are no ciphers which could support the authentication method available with your certificate. In other words: no ciphers and therefore also no shared ciphers.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2