On Tue, Feb 07, 2006 at 11:32:43PM -0700, Kyle Hamilton wrote:
> On 2/7/06, Victor Duchovni <[EMAIL PROTECTED]> wrote:
> >
> > For Postfix 2.3 I would like to be able to determine whether the actual
> > cipher negotiated for a session initialized with a lenient allowed cipher
> > list, is actually a member of a more strict cipher list.
> >
> > The idea is to allow a-priori low security connections to be
> > opportunistically determined to be high security connections and then
> > with SASL allow the transmission of plain-text passwords rather instead
> > of requiring one-time challenge response protocols.
> >
> > So the question is, how do I determine whether the current cipher is a
> > member of say "MEDIUM:HIGH" or "kEDH+MEDIUM+HIGH:!ADH:!DSS"?
> >
> > Is this an appropriate user interface? Or should we instead just ask the
> > administrator to define a minimum secure-channel bit strength, which is
> > a more crude, but perhaps adequate control.
>
> The cipher negotiated is a property of the SSL connection itself.
>
> SSL_get_current_cipher() is probably what you're looking for:
> http://www.openssl.org/docs/ssl/SSL_get_current_cipher.html for
> documentation.
>
This part I know. It is less obvious how to determine whether the cipher
I have is a member of particular "family" after the fact (without
restricting the session to that family).
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
