Hi, Few questions on OpenSSL.
1. Cipher Selection: If the Client sends a weaker cipher (export), followed by a stronger cipher, then openssl selects the first (weaker) cipher as preferred by the client (as per the RFC). Note in the above case, an attacker can influence the order of client's cipher preference, thereby causing the peers to decide on weaker ciphers. Shouldn't there be logic to protect from such attacks? Given a set of ciphers, the server should be able to decide on the most strongest one, need not be the first one always. 2. In s3_servr.c, after server sending the hello-request (SSL3_ST_SW_HELLO_REQ_A) we change state to "SSL_ST_OK" in SSL3_ST_SW_HELLO_REQ_C. Isn't the hello-request message followed by Client sending "Client-Hello" message. In that case the state should be changed to SSL3_ST_SR_CLNT_HELLO_A. 3. What should be ideal response (RFC) of server in this situation: "Server has only SSLv2 support and Client comes with SSLv3 Client-hello." Currently openssl terminates such connections. 4. session->peer cert refers to client certificate used in Client-Authentication. Is it required to store this cert once the session is establish? The main purpose of this cert is to authenticate client and verify the client's Certificate-Verify message. Once this is done, is it okay to free the cert. In session re-use there is no exchange of client's cert or cert-verify message. Eventually too many peer certs may hog-on server resources. Pl. comment on this. 5. For SSLv2 is it mandatory for server to send a valid session-Id even if server is not willing to do session-reuse? For SSLv3/TLSv1 server can inform this by sending a NULL session-ID. But sending NULL session-id for SSLv2 doesn't seem to work. Thanks, Tushar. __________________________________________________ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
