Hi
I have fundamental question regarding choosing the chipher in SSL. The spec
says that the client send the accepted ciphers in the order of preference, and
that the server chooses then the cipher to use.
In the current implementation of ssl3_choose_cipher() it is realy the client's
preference which will be take to choose from the common ciphers.
But I know many companies which would like to be able to set the preference
on the server side.
Because of the current behaviour the 'RC4-MD5' will be choosen before
'DES-CBC3-SHA' which I think is not correct.
Now the questions: 1) Is (from the spec point of view) the server side allowed
to choose according to his own preferences?
2) Why should the server not enforce his own preference?
regards
Matthias Loepfe
-------------------------------------------------------------------------------
Matthias Loepfe, AdNovum Informatik AG, Roentgenstr. 22, CH-8005 Zurich
Email: [EMAIL PROTECTED] Voice: +41 1 272 6111 Fax: +41 1 272 6312
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
