On Mon, 7 Jan 2002 13:50:26 +0000 (GMT), Tushar wrote:
>1. Cipher Selection: If the Client sends a weaker cipher (export), followed
>by a stronger cipher, then openssl selects the first (weaker) cipher as
>preferred by the client (as per the RFC).
>Note in the above case, an attacker can influence the order of client's
>cipher preference, thereby causing the peers to decide on weaker ciphers.
>Shouldn't there be logic to protect from such attacks?
>Given a set of ciphers, the server should be able to decide on the most
>strongest one, need not be the first one always.
Neither side should offer or accept a cipher that is insufficiently strong
to protect the transaction with the level of security appropriate to the
transaction.
DS
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
