It seems that if you enable ADH but disable MEDIUM ciphersuites, they
get left on anyway.
I guess not too many people enable ADH, but there are scenarios where
it is useful, and so this seems like a security bug.
What I did:
% openssl s_server -state -CApath certs -cipher 'ALL'
and connect to it with
% openssl s_client -cipher "ADH:\!EXP:\!LOW:!'MEDIUM"
then the server prints:
Shared ciphers:ADH-DES-CBC3-SHA:ADH-DES-CBC-SHA:ADH-RC4-MD5
ADH-DES-CBC-SHA is single DES and so fails LOW, and shouldn't be in
the list.
Adam
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
