Mark <[EMAIL PROTECTED]> writes:
> Hello. I'm trying to compile openssl with just the export-strength
> ciphers enabled. I have tried pretty much every combination of no-
> options and flags I could think of and find in the documentation. Has
> anyone done this and able to share how they did it?
I couldn't find any way to do it either. What I eventually settled for was
looping through the ciphers list at runtime and disabling specific ciphers
that do not meet our current export level. We have 3 levels of
exportability - domestic (128-bit), export56 (56-bit), and export40
(40-bit).
av_check_single_cipher just looks at SSL_CIPHER_get_bits,
SSL_C_IS_EXPORT40(), or SSL_C_IS_EXPORT56() and compares it against our
license file and does various other voodoo checks to make the NSA happy.
I didn't like having to include ssl_locl.h to get some of these macros, but
I didn't see any other alternative to get the info I needed. If there is
an 'official' way to determine if an SSL_CIPHER is export grade or not, and
what the public key length is (SSL_C_EXPORT_PKEYLENGTH() macro), please let
me know.
{
SSL_CIPHER *cipher = NULL;
unsigned int u;
for (u = 0; u < ssl3_num_ciphers(); u++)
{
if (!(cipher = ssl3_get_cipher(u)))
{
continue;
}
if (av_check_single_cipher(cipher) != 0)
{
/* Cipher was deemed bad! */
cipher->valid = 0;
cipher->name = "INVALID-CIPHER";
}
else
{
valid++;
}
}
}
-Bill P.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
