On Mon, Jun 26, 2000 at 01:11:58PM +0200, [EMAIL PROTECTED] wrote:
> >the texts for SSLv2 and SSLv3 are the same, this is of no importance.
> >What you really want is to use the 128bit domestic cipher and the 40bit
> >cipher as a fallback:
> > SSL_CTX_set_cipher_list(ctx, "RC-MD5:EXP-RC4-MD5");
>
> First of all thanks for that quick and very helpfull answer!
> I just wonder why this cipher (RC-MD5) is not supported by default or am I
> wrong in this case?
Huh, that of course is a typo, it is also called RC4-MD5 (with "4"), of course...
So: RC4-MD5:EXP-RC4-MD5 is the correct string.
The ciphers should however be compiled in anyway. Provided you have a standard build,
you should get:
> openssl ciphers
EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DES-CBC3-MD5:DHE-DSS-RC4-SHA:IDEA-CBC-SHA:RC4-SHA:RC4-MD5:IDEA-CBC-MD5:RC2-CBC-MD5:RC4-MD5:RC4-64-MD5:EXP1024-DHE-DSS-RC4-SHA:EXP1024-RC4-SHA:EXP1024-DHE-DSS-DES-CBC-SHA:EXP1024-DES-CBC-SHA:EXP1024-RC2-CBC-MD5:EXP1024-RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:DES-CBC-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5:EXP-RC2-CBC-MD5:EXP-RC4-MD5
>
> My special reason is that without the mentioned functioncall I get a
>
> "<title>Insufficient encryption</title><h1>Insufficient encryption</h1>This
> document requires a larger secret key size for
> encryption than your browser is capable of supporting."
>
> -answer from the Domestic Server.
> (see also my mail "Error: document requires a larger secret key size for
> encryption than your browser is capable of supporting", posted on June 22).
> Since there was no response to this request I found this the only way to
> solve my problem. In case you've got a better
> solution, please let me know.
Actually, the TLS specification says that the client lists its supported ciphers sorted
by preference. The server then selects one of it. In OpenSSL servers, the server
strictly
honors the clients sorting and chooses the first one in the list that is also supported
by the server. The OpenSSL default ciphers are sorted by strength, so that the server
would select the strongest ciphers first and it should work as expected.
In the special case you describe, it seems that the Netscape server is not lucky with
its cipher selection; it chooses one that for any reason whatsoever is later found to
be not sufficient. Maybe the check "sufficient or not" on the server side is
problematic.
What cipher is chosen? I don't know what ciphers Netscape server support...
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
