Hmm, there's a problem that haven't been addressed at all by the
IETF. SSLv3 contains the following as part of it's ciphersuite:
The final cipher suites are for the FORTEZZA token.
CipherSuite SSL_FORTEZZA_KEA_WITH_NULL_SHA = {
0X00,0X1C };
CipherSuite SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA = {
0x00,0x1D };
CipherSuite SSL_FORTEZZA_KEA_WITH_RC4_128_SHA = {
0x00,0x1E };
Please note how the last one clashes with the first of the KRB5
suite. Also, when one looks at RFC 2246 (TLS), there's this note at
the end of section A.5:
Note: The cipher suite values { 0x00, 0x1C } and { 0x00, 0x1D } are
reserved to avoid collision with Fortezza-based cipher suites
in
SSL 3.
which indicates that SSL_FORTEZZA_KEA_WITH_RC4_128_SHA was not
considered or entirely dropped. Still a clash, and I honestly
wouldn't have any idea on what to do with this.
If it wasn't for this, I'd apply the needed changes immediately. As
it is now, I'd like to see this issue cleared first.
[[EMAIL PROTECTED] - Thu Aug 1 12:31:17 2002]:
> resubmitting via RT. The absence of a quick reply leads me to
believe
> that there is indeed something wrong. I encourage you too look at
this
> before 0.9.7 release, otherwise we will run into serious
> interoperability problems in the future.
>
> Andreas.
>
> -------- Original Message --------
> Subject: Kerberos Ciphersuite IDs
> Date: Thu, 25 Jul 2002 20:27:03 +0100
> From: Andreas Sterbenz <[EMAIL PROTECTED]>
> Reply-To: [EMAIL PROTECTED]
> To: [EMAIL PROTECTED]
>
> Hi,
>
> I am looking at ssl/ssl3.h from 0.9.7-beta2 and the Kerberos
ciphersuite
> IDs don't seem to match the IDs given in RFC2712. I assume I am
missing
> something obvious, could someone please enlighten me?
>
> Thanks,
> Andreas.
>
> ===
> ::ssl/ssl3.h::
> #define SSL3_CK_KRB5_DES_40_CBC_SHA 0x03000021
> #define SSL3_CK_KRB5_DES_40_CBC_MD5 0x03000022
> #define SSL3_CK_KRB5_DES_64_CBC_SHA 0x03000023
> #define SSL3_CK_KRB5_DES_64_CBC_MD5 0x03000024
> #define SSL3_CK_KRB5_DES_192_CBC3_SHA 0x03000025
> #define SSL3_CK_KRB5_DES_192_CBC3_MD5 0x03000026
>
> ::http://www.ietf.org/rfc/rfc2712.txt::
> CipherSuite TLS_KRB5_WITH_DES_CBC_SHA = {
0x00,0x1E };
> CipherSuite TLS_KRB5_WITH_3DES_EDE_CBC_SHA = {
0x00,0x1F };
> CipherSuite TLS_KRB5_WITH_RC4_128_SHA = {
0x00,0x20 };
> CipherSuite TLS_KRB5_WITH_IDEA_CBC_SHA = {
0x00,0x21 };
> CipherSuite TLS_KRB5_WITH_DES_CBC_MD5 = {
0x00,0x22 };
> CipherSuite TLS_KRB5_WITH_3DES_EDE_CBC_MD5 = {
0x00,0x23 };
> CipherSuite TLS_KRB5_WITH_RC4_128_MD5 = {
0x00,0x24 };
> CipherSuite TLS_KRB5_WITH_IDEA_CBC_MD5 = {
0x00,0x25 };
>
> CipherSuite TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA = {
0x00,0x26 };
> CipherSuite TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA = {
0x00,0x27 };
> CipherSuite TLS_KRB5_EXPORT_WITH_RC4_40_SHA = {
0x00,0x28 };
> CipherSuite TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 = {
0x00,0x29 };
> CipherSuite TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5 = {
0x00,0x2A };
> CipherSuite TLS_KRB5_EXPORT_WITH_RC4_40_MD5 = {
0x00,0x2B };
> ===
>
--
Richard Levitte
[EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
