Check the documentation for the various levels to see what each cipher falls into. Specifically, "LOW" is any 40 or 56-bit cipher, and 768 bytes or below RSA key. MEDIUM is any 128 bit cipher (except AES) and 1024 bits or more of RSA key. HIGH is any 256-bit cipher, any AES cipher, and 2048+ bits of RSA key. That's the general breakdown, as far as I recall (from earlier discussions on this list).
-Kyle H On 2/8/06, Victor Duchovni <[EMAIL PROTECTED]> wrote: > On Tue, Feb 07, 2006 at 11:32:43PM -0700, Kyle Hamilton wrote: > > > On 2/7/06, Victor Duchovni <[EMAIL PROTECTED]> wrote: > > > > > > For Postfix 2.3 I would like to be able to determine whether the actual > > > cipher negotiated for a session initialized with a lenient allowed cipher > > > list, is actually a member of a more strict cipher list. > > > > > > The idea is to allow a-priori low security connections to be > > > opportunistically determined to be high security connections and then > > > with SASL allow the transmission of plain-text passwords rather instead > > > of requiring one-time challenge response protocols. > > > > > > So the question is, how do I determine whether the current cipher is a > > > member of say "MEDIUM:HIGH" or "kEDH+MEDIUM+HIGH:!ADH:!DSS"? > > > > > > Is this an appropriate user interface? Or should we instead just ask the > > > administrator to define a minimum secure-channel bit strength, which is > > > a more crude, but perhaps adequate control. > > > > The cipher negotiated is a property of the SSL connection itself. > > > > SSL_get_current_cipher() is probably what you're looking for: > > http://www.openssl.org/docs/ssl/SSL_get_current_cipher.html for > > documentation. > > > > This part I know. It is less obvious how to determine whether the cipher > I have is a member of particular "family" after the fact (without > restricting the session to that family). > > -- > Viktor. > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
