Lutz Jaenicke wrote:
>
> On Mon, Nov 27, 2000 at 04:11:31PM -0500, Jeffrey Altman wrote:
> > The way I see it, the KRB5 ciphers need to be filtered out at the
> > location where the Client Hello message is both constructed in the
> > client and processed in the server. That is why I am looking at the
> > translation functions. If KRB5 can't possibly succeed, don't offer
> > them to the server or ignore them on the server.
>
> I am not sure whether I missed something. The list of ciphers available
> (that is: offered by the client and/or accepted by the server) is set
> with SSL_CTX_set_cipher_list() (or SSL_set_cipher_list(), respectively).
> Only the ciphers allowed there are offered from the client to the server;
> the server will only pick a cipher if it was set using these functions.
> Actually, the useable list is even more restricted, a DSA cipher will
> only be chosen, if the server has a DSA certificate, ciphers with DH
> (this includes DSA ciphers) will only be chosen, if DH parameters are set...
>
> What OpenSSL does not offer is a server-side "cipher choice" callback.
> The client sends a list of ciphers and an openssl server will always choose
> the first of the ciphers it does support.
The point is that he wants to vary the list according to whether the
client presented a cert or not. Hadn't really thought about a cipher
choice callback, but actually that might be a cool way to address the
problem.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
