While the AES cipher suites from draft-ietf-tls-ciphersuite-06.txt are disabled by default and not part of "ALL" (the "AESdraft" group alias can be used to enable them), they might be accidentily enabled by using cipher suite strings such as "RSA". The reason for disabling them unless explicitly requested is that they are not yet official, so it may be a problem if seemingly innocuous strings such as "RSA" enable them.
(Similarly, cipher suite strings such as "DES" will enable "ADH" cipher suites that are left out of "ALL". But this is less of a problem because these cipher suites are official; they are not in "ALL" simply because usually anonymous connections are not desired.) A possible strategy is to define a new group alias for all those cipher suites that are not part of "ALL", which could be called "NONE" (unless someone comes up with a more serious name for it). Then "!NONE" in a cihper suite string will disable all cipher suites that are not in "ALL", i.e. "RSA:!NONE" would be "RSA" without "AESdraft" and ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
