On Wed August 11 2010, Tim Cloud wrote: > Let's pretend for a moment that an out of the box application uses openssl to > provide access not through a browser, but rather through a SOAP client like > Eclipse. > And let's also say that you have no access to the code internal to that > application. > Is there any other way to limit the ciphers? > Some kind of config file or a special way to compile the executable? >
The quick answer: cipher list is not limited by an external, run-time, config file. I am a bit confused by the limits to your question, the two parts: "have no access to the code internal to that application" and the: "special way to compile the executable" seem to conflict (at least in my mind). I suppose you know what you meant - I'll go with that assumption. ;-) The cipers that might be used are established by agreement between client and server - Two ends at which control might be effected. Server end: (not mentioned in your limits) - remove the unwanted ciphers from the openssl build. I.E: If the server doesn't have them, it can't offer them, and the client can choose one of them. Client end: If the client uses the dynamic openssl libraries - just do the same as above. Client end: If the "I can't rebuild it" part of the client was staticly linked against the openssl libraries - then you will have to do a few handsprings - One possible choice - put a https (or other as required) proxy on your gateway - edit the cipher lists offered by client and/or server "on the fly". Note: Does not sound like fun to me. Mike > ________________________________________ > From: owner-openssl-us...@openssl.org [owner-openssl-us...@openssl.org] On > Behalf Of Kyle Hamilton [aerow...@gmail.com] > Sent: Wednesday, August 11, 2010 9:11 PM > To: openssl-users@openssl.org > Cc: Alex Chen > Subject: Re: Cipher selection > > No, OpenSSL chooses the cipher from the argument to > SSL[_CTX]_set_cipher_list(3ssl) called on the SSL or the SSL_CTX structure. > > On 8/11/10 4:57 PM, Alex Chen wrote: > > Does openssl choose the cipher from the pem file? If so, which section of > > the following pem file sets the cipher for communication? > > --------------------------------------------------------------------- > CONFIDENTIALITY NOTICE > This e-mail is intended for the sole use of the individual(s) to whom it is > addressed, and may contain information that is privileged, confidential and > exempt from disclosure under applicable law. You are hereby notified that > any dissemination, duplication, or distribution of this transmission by > someone other than the intended addressee or its designated agent is strictly > prohibited. If you receive this e-mail in error, please notify me > immediately by replying to this e-mail. > > --------------------------------------------------------------------- > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org