On Wed, Oct 13, 1999 at 06:29:32PM +0200, Lutz Jaenicke wrote:
> > Speaking of which, now that Netscape (at least) ship a client that
> > supports the new 56/1024 bit ciphersuites, should we switch them on?
>
> Hmm, I tried them and they did work with Netscape.
> I however also tried them for my own client/server application
> (RFC2487 = TLS for SMTP), and when I enabled the experimental
> TLS cypher suites in ssl/tls1.h, the automatic negotiation
> yielded the 56/128 bit cypher, even though more secure cyphers were
> available.
> Setting SSL_OP_NON_EXPORT_FIRST didn't help.
>
> How to check the priority??
Ok, a follow up to my own post.
In the meantime I have spend some hours strolling through the OpenSSL source
and RFC2246. From the RFC, the client sends its list of ciphers with
the preferred ones first (if I understood everything right).
How to control the list of ciphers the clients is sending? Of course I
can try to specify it myself, but then this list will depend on the compile
time options (and version) of the library, so I don't think this is appropriate.
>From the source code I think, part of the problem is the "exportable" check
with SSL_IS_EXPORT (and derivatives of this macro), since there is a
EXPORT56 check macro available, but I don't see it actually used.
And to be fair, the OpenSSL source code is not really readable (please compare
to let's say postfix), so that I didn't manage to figure out from
ssl/ssl_ciph.c, how the list of ciphers is collected.
Is there any explanation availab.e?
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
