Cipher Suite negotiation failure in LW8 / ssl-ctx is not initialized

[mdbergmann]

I'm receiving the following error when trying to connect with a client to hunchentoot with SSL acceptor.

[2024-01-20 13:07:04 [ERROR]] Error while processing connection: Error when reading from #<COMM:SOCKET-STREAM 80100F88CB> : "Cipher Suite negotiation failure" [-9801].

I've tracked it down to ctx-configure-callback function, as set up by attach-ssl not being called. Despite initialize-connection-stream and make-ssl-server-stream are called (in ssl.lisp).

Anyone got an idea?

[hanshuebner]

This looks like an SSL version incompatibility between your server and your client. Is it possible that your server uses a very old SSL version that does not support modern ciphers? Can you look at the debug logs on the server side to determine what TLS version is being used?

[mdbergmann]

Well, client and server is on the same host. It works with SBCL and cl+ssl. For me it seems like as if the ssl-ctx is not configured with the certificate and private key I have defined. Or do you think that the handshake and cipher negotiation is happening before the ctx-configure-callback? I was thinking it might also be a problem with client (Drakma), but I get the same error when trying to connect with a browser.

[hanshuebner]

What is the platform that it does not work with? From the error message, I would suspect LispWorks. Is it possible that LispWorks uses a different (outdated) version of OpenSSL?

[mdbergmann]

Hmm, it's LispWorks 8.0.1. The latest. I'll try to check what version they have bundled. I'll try some more with pure LispWorks API to see if it actually works there.

[mdbergmann]

Please check PR #225. While this works, I do not know why the previous variant does not work.

[mdbergmann]

Fixed with #225