Hello Martin, On Thu, 2005-18-08 at 09:57 +0100, Martin Hinks wrote: > I also have a quick q about the SSLStream that I thought would fit > under this topic ;P > > Is the problem with unsupported ciphers due to bugs/incompleteness of > their components - ie. ciphers using DH - are they missing because DH > is missing etc.
Quick answer: * This is not a "problem", it's just a ((very) optional) task no one else has done (probably because no one need it badly enough to code/test it). Long answer: * An SSL/TLS implementation doesn't have to support all possible ciphers. This is why SSL/TLS include a negotiation step; * The design of SslStream (just like the earlier SslClientStream and SslServerStream) doesn't include an API to select which algorithms to use (or not use). So the user is out of the loop for selecting the cipher (i.e. it will be negotiated between the client and server); * Adding ciphers to SSL is much easier than testing them (and the API doesn't make it easier); * People don't like when something supported doesn't work, so Mono will add new ciphers to SSL only if we're sure they are working properly ;-) * Mono.Security.dll supports DH (i.e. DH is present and working) so it isn't a cryptographic issue; * DH wasn't really helpful for HTTPS (my main interest), nor for data access (Carlos) so we didn't implement support for it; So it's not a problem (at least for most people). Adding DH support shouldn't be a very complex task for anyone interested (but testing may be a little more painful). -- Sebastien _______________________________________________ Mono-devel-list mailing list [email protected] http://lists.ximian.com/mailman/listinfo/mono-devel-list
