On Mon, Nov 27, 2000 at 04:11:31PM -0500, Jeffrey Altman wrote:
> The way I see it, the KRB5 ciphers need to be filtered out at the
> location where the Client Hello message is both constructed in the
> client and processed in the server. That is why I am looking at the
> translation functions. If KRB5 can't possibly succeed, don't offer
> them to the server or ignore them on the server.
I am not sure whether I missed something. The list of ciphers available
(that is: offered by the client and/or accepted by the server) is set
with SSL_CTX_set_cipher_list() (or SSL_set_cipher_list(), respectively).
Only the ciphers allowed there are offered from the client to the server;
the server will only pick a cipher if it was set using these functions.
Actually, the useable list is even more restricted, a DSA cipher will
only be chosen, if the server has a DSA certificate, ciphers with DH
(this includes DSA ciphers) will only be chosen, if DH parameters are set...
What OpenSSL does not offer is a server-side "cipher choice" callback.
The client sends a list of ciphers and an openssl server will always choose
the first of the ciphers it does support.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
