On Mon, 7 Jan 2002 13:50:26 +0000 (GMT), Tushar wrote:
>1. Cipher Selection: If the Client sends a weaker cipher (export), followed >by a stronger cipher, then openssl selects the first (weaker) cipher as >preferred by the client (as per the RFC). >Note in the above case, an attacker can influence the order of client's >cipher preference, thereby causing the peers to decide on weaker ciphers. >Shouldn't there be logic to protect from such attacks? >Given a set of ciphers, the server should be able to decide on the most >strongest one, need not be the first one always. Neither side should offer or accept a cipher that is insufficiently strong to protect the transaction with the level of security appropriate to the transaction. DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]