Josh MacDonald wrote:
>
> In order to use a null encryption cipher I have to supply a special
> CPP flag (SSL_ALLOW_ENULL) when I *compile* it. This makes it difficult
> to write an application which uses NULL encryption, and there is no way
> for the programmer to re-enable NULL filters. If you insist on this
> somewhat questionable feature, then at least there should be a way to
> enable them with the API, but I recommend removing NULL filters from
> the mask used to initialize the cipher list. At least someone should
> be able to justify this.
>
Actually you can turn it back on. Here is a snipit of what we are doing
using SSLeay-0.9.0 with in the Globus project. http://www.globus.org
in the src/Security/gssapi_ssleay/acquire_cred.c:
/*
* The SSLeay when built by default excludes the NULL
* encryption options: #ifdef SSL_ALLOW_ENULL in ssl_ciph.c
* Since the user obtains and builds the SSLeay, we have
* no control over how it is built.
*
* We have an export licence for this code, and don't
* need/want encryption. We will therefore turn off
* any encryption by placing the RSA_NULL_MD5 cipher
* first. See s3_lib.c ssl3_ciphers[]= The RSA_NULL_MD5
* is the first, but the way to get at it is as n-1
*
* This method may need to be checked with new versions
* of the SSLeay packages.
*/
{
int n;
int i;
SSL_CIPHER * cipher;
n = ((*newcred->pcd->gs_ctx->method->num_ciphers))();
cipher =
(*(newcred->pcd->gs_ctx->method->get_cipher))(n-1);
if (cipher) {
sk_insert(newcred->pcd->gs_ctx->cipher_list,
(char *)cipher, 0);
sk_insert(newcred->pcd->gs_ctx->cipher_list_by_id,
(char *)cipher, 0);
}
go on to turn off the others...
> -josh
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> Development Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
