I am working with OpenSSL 0.9.7c under Linux. I have come across
the following when using SSL_CTX_set_cipher_list() in this platform.
According to man page, SSL_CTX_set_cipher_list() has the
following prototype:
int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str)
The str argument is a string that identifies the cipher suite to be
selected. Again according to the man page, quote, failure is only
flagged if no ciphers could be collected at all, unquote. On this basis
I would have thought that using some random string for str should
cause SSL_CTX_set_cipher_list() to return a failure. Apparently, it
doesn't.
Looking into the code, SSL_CTX_set_cipher_list() depends on
ssl_create_cipher_list() for all the actual work. If
ssl_create_cipher_list() returns a pointer to a valid
STACK_OF(SSL_CIPHER) then SSL_CTX_set_cipher_list() will return 1
(success) otherwise it will return 0 (failure).
For concreteness let's choose a specific random string:
"abcdef". When SSL_CTX_set_cipher_list() is invoked on this string (I'll
assume henceforth that the ctx argument is fine),
ssl_create_cipher_list() returns a non-NULL pointer:
(gdb) p *sk
$2 = {
num = 0,
data = 0x6000000000032270,
sorted = 0,
num_alloc = 4,
comp = 0
}
At 0x6000000000032270 we only find strings of zeros - i.e. no
cipher suite-related data.
If we use the "DES-CBC-SHA" string instead as the value of str, then
ssl_create_cipher_list() returns a non-NULL pointer again, but this time
with useful data in the address at the data field. In addition, the num
field is 1, rather than 0, as above.
It is clear that for "abcdef" ssl_create_cipher_list(), as
expected, has failed to recognize a valid cipher suite, and therefore
the value returned by SSL_CTX_set_cipher_list() ought to be 0, not 1.
However, since SSL_CTX_set_cipher_list() relies on the NULL or non-NULL
character of the pointer returned by ssl_create_cipher_list(), it
returns 1 for this nonsensical "abcdef" string.
While this is not a big technical deal (the goodness or not of
the STACK_OF(SSL_CIPHER) pointer can be determined by looking at the num
field, I guess) I believe that this behavior is not in agreement with
the description in the manual page for SSL_CTX_set_cipher_list(). In my
view, this function should be changed to read as follows:
/** specify the ciphers to be used by default by the SSL_CTX */
int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str)
{
STACK_OF(SSL_CIPHER) *sk;
sk=ssl_create_cipher_list(ctx->method,&ctx->cipher_list,
&ctx->cipher_list_by_id,str);
/* XXXX */
return(((sk == NULL) || (sk->num == 0)) ? 0 : 1);
}
Cheers,
JCA
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
