OPENSSL-LISTEN failed with "no shared cipher" when using cipher aNULL

CHANGES

@@ -49,6 +49,10 @@ corrections:
 	were used. Thanks to Tetsuya Sodo for reporting this problem and
 	sending a patch
 
+	OpenSSL server failed with "no shared cipher" when using cipher aNULL.
+	Fixed by providing temporary DH parameters. Thanks to Philip Rowlands
+	for drawing my attention to this issue.
+
 ####################### V 1.7.1.3:
 
 security:

test.sh

@@ -10484,6 +10484,50 @@ esac
 N=$((N+1))
 
 
+NAME=OPENSSL_ANULL
+case "$TESTS" in
+*%functions%*|*%openssl%*|*%tcp%*|*%tcp4%*|*%ip4%*|*%$NAME%*)
+TEST="$NAME: OpenSSL server with cipher aNULL "
+if ! eval $NUMCOND; then :;
+elif ! testaddrs openssl >/dev/null; then
+    $PRINTF "test $F_n $TEST... ${YELLOW}OPENSSL not available${NORMAL}\n" $N
+    numCANT=$((numCANT+1))
+elif ! testaddrs listen tcp ip4 >/dev/null || ! runsip4 >/dev/null; then
+    $PRINTF "test $F_n $TEST... ${YELLOW}TCP/IPv4 not available${NORMAL}\n" $N
+    numCANT=$((numCANT+1))
+else
+tf="$td/test$N.stdout"
+te="$td/test$N.stderr"
+tdiff="$td/test$N.diff"
+da="test$N $(date) $RANDOM"
+CMD2="$SOCAT $opts OPENSSL-LISTEN:$PORT,reuseaddr,$SOCAT_EGD,ciphers=aNULL,verify=0 pipe"
+CMD="$SOCAT $opts - openssl:$LOCALHOST:$PORT,ciphers=aNULL,verify=0,$SOCAT_EGD"
+printf "test $F_n $TEST... " $N
+eval "$CMD2 2>\"${te}1\" &"
+pid=$!	# background process id
+waittcp4port $PORT
+echo "$da" |$CMD >$tf 2>"${te}2"
+if ! echo "$da" |diff - "$tf" >"$tdiff"; then
+    $PRINTF "$FAILED: $SOCAT:\n"
+    echo "$CMD2 &"
+    echo "$CMD"
+    cat "${te}1"
+    cat "${te}2"
+    cat "$tdiff"
+    numFAIL=$((numFAIL+1))
+else
+   $PRINTF "$OK\n"
+   if [ -n "$debug" ]; then cat "${te}1" "${te}2"; fi
+   numOK=$((numOK+1))
+fi
+kill $pid 2>/dev/null
+wait
+fi ;; # NUMCOND, feats
+esac
+PORT=$((PORT+1))
+N=$((N+1))
+
+
 ###############################################################################
 # here come tests that might affect your systems integrity. Put normal tests
 # before this paragraph.

xio-openssl.c

@@ -1,5 +1,5 @@
 /* source: xio-openssl.c */
-/* Copyright Gerhard Rieger 2002-2009 */
+/* Copyright Gerhard Rieger 2002-2011 */
 /* Published under the GNU General Public License V.2, see file COPYING */
 
 /* this file contains the implementation of the openssl addresses */
@@ -739,6 +739,50 @@ int
       return STAT_RETRYLATER;
    }
 
+   {
+      static unsigned char dh512_p[] = {
+	 0xDA,0x58,0x3C,0x16,0xD9,0x85,0x22,0x89,0xD0,0xE4,0xAF,0x75,
+	 0x6F,0x4C,0xCA,0x92,0xDD,0x4B,0xE5,0x33,0xB8,0x04,0xFB,0x0F,
+	 0xED,0x94,0xEF,0x9C,0x8A,0x44,0x03,0xED,0x57,0x46,0x50,0xD3,
+	 0x69,0x99,0xDB,0x29,0xD7,0x76,0x27,0x6B,0xA2,0xD3,0xD4,0x12,
+	 0xE2,0x18,0xF4,0xDD,0x1E,0x08,0x4C,0xF6,0xD8,0x00,0x3E,0x7C,
+	 0x47,0x74,0xE8,0x33,
+      };
+      static unsigned char dh512_g[] = {
+	 0x02,
+      };
+      DH *dh;
+      unsigned long err;
+
+      if ((dh = DH_new()) == NULL) {
+	 while (err = ERR_get_error()) {
+	    Warn1("DH_new(): %s",
+		   ERR_error_string(err, NULL));
+	 }
+	 Error("DH_new() failed");
+      } else {
+	 dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
+	 dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL);
+	 if ((dh->p == NULL) || (dh->g == NULL)) {
+	    while (err = ERR_get_error()) {
+	       Warn1("BN_bin2bn(): %s",
+		     ERR_error_string(err, NULL));
+	    }
+	    Error("BN_bin2bn() failed");
+	 } else {
+	    if (SSL_CTX_set_tmp_dh(*ctx, dh) <= 0) {
+	       while (err = ERR_get_error()) {
+		  Warn1("SSL_CTX_set_tmp_dh(%p, %p): %s",
+			ERR_error_string(err, NULL));
+	       }
+	       Error2("SSL_CTX_set_tmp_dh(%p, %p) failed", *ctx, dh);
+	    }
+	    /*! OPENSSL_free(dh->p,g)? doc does not tell so */
+	 }
+	 DH_free(dh);
+      }
+   }
+
    if (opt_cafile != NULL || opt_capath != NULL) {
       if (sycSSL_CTX_load_verify_locations(*ctx, opt_cafile, opt_capath) != 1) {
 	 int result;