On Mon, May 22, 2000 at 09:29:29PM +0530, Amit Chopra wrote:
> Now my question. Here is some code from s3_srvr.c that is
> used in the key exchange.
>
> File s3_srvr.c, Function ssl3_send_server_key_exchange, Line 955:
> rsa=s->cert->rsa_tmp_cb(s,
> SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
> SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
> ....
>
> File s3_srvr.c, Function ssl3_send_server_key_exchange, Line 984:
> dhp=s->cert->dh_tmp_cb(s,
> !SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
> SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
> ....
>
>
> The interesting thing is the negation of SSL_C_IS_EXPORT when using
> temp DH callback. So in my temp DH callback, when I am expecting the
> key to be exportable, it is not and vice versa. [...]
> Is there some logic behind negating the SSL_C_IS_EXPORT return value
> for the DH callback?
No. I'm changing it in the source code. Presumably the reason
that no-one has noticed this before is that few people use DH at all,
and if they do, they don't necessarily use the callback.
I'm not aware of any export-restricted SSL clients that were
able to use DH ciphersuites when the US export rules had the
512 bit limit; so 1024 bit DH was always OK.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
