We only use OpenSSL_add_all_algorithms during SSL initialization, no other SSL_[CTX]_set_cipher_list calls are made, therefore the cipher used should be the default DHE-RSA-AES256-SHA then.
Alex On Oct 14, 2012, at 3:01 PM, Dave Thompson wrote: >> From: owner-openssl-us...@openssl.org On Behalf Of Alex Chen >> Sent: Friday, 12 October, 2012 21:31 > >> The 'openssl cipher -v' command shows the following cipher suites: > <snip> >> If both the client and server uses the sample version of openssl >> library and they only calls OpenSSL_add_all_algorithms() >> to initialize the cipher list. >> I assume the first 'preferred' cipher, DHE-RSA-AES256-SHA, >> will be used, correct? > > Not necessarily. > > If either client or server calls SSL_[CTX_]set_cipher_list that > changes the list and order of ciphersuites it uses. If not, they > will both use the default list, which is same default list used > and shown by ciphers [-v] with no argument. > > The client sends its list in ClientHello. Unless you set > "server preference" the server chooses the first ciphersuite > in the client's list also in the server's list and usable. > An RSA-DHE suite is only usable, and will only be chosen, > if the server has an RSA key+cert configured and either > a tmp_dh key (or maybe parameters?), or a tmp_dh_callback. > (According to RFC, the cert must allow digitalSignature, > but I don't think openssl enforces this.) > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org