"wthttp/async: SSL handshake error: no shared cipher"

Added by Matt M about 1 month ago

Hello everyone,

I have recently started using wt and have been enjoying it a lot. One small problem that is persisting for me is that i cannot seem to be able to get https to work using wthttp. I get the following error from wt when trying to reach my web app via the correct https address and port - "wthttp/async: SSL handshake error: no shared cipher".

I followed this guide [1] and a few others. I also added -lcrypto and -lssl to my g++ flags when compiling my web app but to no avail.

  1. https://redmine.webtoolkit.eu/projects/wt/wiki/Frequently_Asked_Questions#Q-How-do-I-use-the-built-in-HTTPS-server-in-wthttpd

Replies (10)

RE: "wthttp/async: SSL handshake error: no shared cipher" - Added by Matt M about 1 month ago

I also installed wt with following this [1] for "mac OS X Yosemite or El Capitan (macosx 10.10-10.11+)", but i am on macOS Mojave 10.14.1, would that cause any issue? mojave is fairly new and the wiki is a bit over a year old.

  1. 1 https://redmine.webtoolkit.eu/projects/wt/wiki/Installing_Wt_on_Mac_OS_X_Yosemite

RE: "wthttp/async: SSL handshake error: no shared cipher" - Added by lm at about 1 month ago

I use a reverse proxy (Apache httpd) and terminate the SSL there. Are you planning on serving your website permanently behind Apple Macintosh OS?

RE: "wthttp/async: SSL handshake error: no shared cipher" - Added by Matt M about 1 month ago

Nope, i was planning on deploying on Linux. i was hoping to avoid using a reverse proxy if possible though - otherwise ill probably just throw nginx in-front of it :).

RE: "wthttp/async: SSL handshake error: no shared cipher" - Added by Wim Dumon about 1 month ago

Hey Matt,

You'd have to check if your server actually offers to connect with cyphers that are acceptable to your browser. There apparently are tools to list the cyphers actually supported by the server:
https://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html

Possibly the ssl-cypherlist suggestion from our FAQ is outdated, or you want to be less strict than the list. You can try to omit the parameter and use the default cypherlist built-in in openssl. Possibly there is something wrong with the openssl library.

Wim.

RE: "wthttp/async: SSL handshake error: no shared cipher" - Added by Matt M about 1 month ago

I tried that nmap script but that returned no ciphers. i suspect it has something to do with openssl.
ill keep trying things in the future and keep this post updated.

Thanks!

RE: "wthttp/async: SSL handshake error: no shared cipher" - Added by Matt M about 1 month ago

So upon building wt from source on linux i found that it looks for crypt when building the httpd, but not on macos, eg

Linux build:

 
...
** Enabling built-in httpd.
-- Looking for strcasestr
-- Looking for strcasestr - found
-- Looking for strcasecmp
-- Looking for strcasecmp - found
-- Looking for crypt
-- Looking for crypt - not found
-- Looking for crypt in crypt
-- Looking for crypt in crypt - found
...

MacOS:

...
** Enabling built-in httpd.
...

Funnily enough, i still get the same no shared cipher error on linux lol.

RE: "wthttp/async: SSL handshake error: no shared cipher" - Added by Matt M about 1 month ago

  • That crypt finding on macos was actually because i passed cmake the -DSSL_PREFIX prefix, nothing to do with the problem

RE: "wthttp/async: SSL handshake error: no shared cipher" - Added by Roel Standaert about 1 month ago

crypt is only used for some examples to add another hash function to Wt::Auth. It's not an integral part of Wt.

RE: "wthttp/async: SSL handshake error: no shared cipher" - Added by Matt M about 1 month ago

I made a little progress, i had to tell cmake to look in the homebrew openssl at /usr/local/opt/openssl/ rather than the default macOS openssl which is /usr/bin/openssl

However, now when i try to access the page my browser tries to establish a secure connection but times out, and i get no error from wt. Any suggestions?

RE: "wthttp/async: SSL handshake error: no shared cipher" - Added by Wim Dumon about 1 month ago

Hey Matt,

Possibly something went wrong with your openssl build, so that it does not support any ciphers. What does 'openssl ciphers' tell you? And then check that your openssl binary is linked against the same openssl library as the one Wt is linked to.

I think this is an openssl issue rather than a Wt issue.

Best regards,
Wim.

(1-10/10)