Lutz Jaenicke: >> I have already worked in the cipher selection routines yesterday with >> respect to PR#130. I will add an appropriate "NOTDEFAULT" selection >> keyword that will cover cipher suites not selected by default. >> As this is a new feature I intend to only add it to 0.9.7 (and later).
> Technically spoken we have two things: > * ALL: all ciphers _except_ eNULL (no encryption is left out) > * DEFAULT: ALL ciphers, then ADH is removed, then some sorting > We would therefore have two classes of non-selected ciphers: > * NODEFAULT: meaning effectively ADH in the moment > * NOALL: meaning effectively eNULL in the moment > > Of course, this distinction is not necessarily clear unless you look > up the realization of DEFAULT and ALL. > Should I realize both classes? Actually it would make sense from the > logical point of view and in the documentation I would propose to use > something like "RSA:NODEFAULT:NOALL" to unselect the unwanted ciphers. > I propose NOALL instead of NONE in order to reflect its logic > interaction with the ALL keyword. The "NO" prefix in "NODEFAULT" and "NOALL" could be misleading. (Of course, "NONE" isn't any better.) "COMPLEMENT_OF_ALL" and "COMPLEMENT_OF_DEFAULT" is clearer. It is also longer, but it may be worth it. I don't particularly like the "RSA:NODEFAULT:NOALL" example because the "NO..." or "COMPLEMENT_OF_..." group aliases are not really useful for *enabling* ciphersuites (it can be done, but this is quite pointless). Their real purpose is *disabling* ciphersuites: "RSA:!COMPLEMENT_OF_ALL" or "RC4:!COMPLEMENT_OF_DEFAULT" will enable all RSA ciphersuites with the exception of the eNULL ciphersuites, and "RC4:!COMPLEMENT_OF_DEFAULT" will enable all non-anonymous RC4 ciphersuites. -- Bodo Möller <[EMAIL PROTECTED]> PGP http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/0x36d2c658.html * TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt * Tel. +49-6151-16-6628, Fax +49-6151-16-6036 ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]