On Fri, Feb 09, 2001 at 12:12:42AM +0000, Dr S N Henson wrote:
> I realise this is an old thread but it has some interesting implications
> wrt server security policies and the MS SGC bug...
>
> Lutz Jaenicke wrote:
> > - An OpenSSL server (and probably most other servers) will strictly follow the
> > clients preference and choose the first cipher in the CipherSuite it matches.
> > This is not actually enforced by the standard. The standard requires that
> > the servers makes its choice, nowhere is written that the server must follow
> > the clients preferences. OpenSSL however has no means to change this
> > behaviour.
> > * An OpenSSL server has its own list of ciphers with a preference.
> > * It should be possible (with a new option) to change the choosing strategy
> > from "client preference" to "server preference".
>
> Yes I think this is a good idea. Maybe another special @SERVER option in
> the cipherlist or something like that?
>From the implementation point of view this won't be practical. The cipherlist
options are processed earlier and the selection routine only gets the
already prepared list of "available ciphers on server, sorted by preference"
and "proposed ciphers from client, sorted by preference".
I would rather introduce a new SSL_CTX_set_option() option
SSL_OP_CIPHER_SERVER_PREFERENCE
[Two good reasons deleted.]
I already had a look into ssl/ssl_lib.c:ssl3_choose_cipher().
It should not be too hard to do.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
