On Sun, Nov 24, 2002 at 08:17:35PM +0100, Peter 'Luna' Runestig wrote:
> I have a client and a server, that sets SSL_CTX_set_cipher_list("ALL")
> (and SSL_CTX_set_tmp_dh_callback()). With beta3 and beta4, that makes
> the negotiated cipher to be ADH-AES256-SHA. I would expect something
> like DHE-RSA-AES256-SHA instead (which I get if I do
> SSL_CTX_set_cipher_list("ALL:!ADH") instead), or am I missing something?
> Isn't the strongest common cipher expected to be used?
The strength sorting only applies to the symmetric cipher chosen.
There is no sorting with respect to the authentication method
(is Kerberos stronger than RSA????). Therefore there is a default
handling for this in the DEFAULT setting. If you don't use DEFAULT,
you'll have to take care of this yourself with your selection string.
> Doing it all with 0.9.6g negotiates EXP1024-RC4-SHA instead, which is
> also a surprise to me; e.g. SSL_CTX_set_cipher_list("MEDIUM") gives
> IDEA-CBC-SHA.
The underlying sorting is that of the table within which the ciphers
are listed in the source code. So from an application point of view
it should be considered to be "arbritraty" and the application should
take care of it.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
