https://bz.apache.org/bugzilla/show_bug.cgi?id=58213
Kaspar Brand <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] --- Comment #5 from Kaspar Brand <[email protected]> --- (In reply to stephen_wall from comment #4) > I respectfully suggest that apache change it's code to append > ':!aNULL:!eNULL:!EXP' instead, to be compatible with the OpenSSL documented > behavior, if not it's actual behavior. That sounds like a good solution, yes. I'd first like to see how https://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=4009 gets addressed/fixed, however. As you have noted there, the current code in ssl_ciph.c:check_suiteb_cipher_list() does not match the documentation in the ciphers(1) man page (which was retrospectively added, BTW - https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ffa457967982689149fa8403a1d57cee1dbee805). Cc'ing Steve on this report, in case he might want to comment on how we should deal with this in mod_ssl. (In reply to stephen_wall from comment #3) > FYI, specifying the cipher suites used by Suite B is not a full workaround. > Using the SUITEB128 etc strings does more than just set the ciphers, it also > enforces use of specific elliptic curves as required by the Suite B > documentation. Indeed, I missed that check_suiteb_cipher_list() also sets the SSL_CERT_FLAG_SUITEB_* flags for the cert accordingly, which are then used in the t1_lib.c code to determine the appropriate curve and signature algorithm lists. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
