On Sun, Jun 17, 2012 at 12:29:53PM -0400, Tom Lane wrote:
> The fly in the ointment with any of these ideas is that the "configure
> list" is not a list of exact cipher names, as per Magnus' comment that
> the current default includes tests like "!aNULL".  I am not sure that
> we know how to evaluate such conditions if we are applying an
> after-the-fact check on the selected cipher.  Does OpenSSL expose any
> API for evaluating whether a selected cipher meets such a test?

I'm not sure whether there's an API for it, but you can certainly check
manually with "openssl ciphers -v", for example:

$ openssl ciphers -v 'ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP'
NULL-SHA                SSLv3 Kx=RSA      Au=RSA  Enc=None      Mac=SHA1
NULL-MD5                SSLv3 Kx=RSA      Au=RSA  Enc=None      Mac=MD5


So unless the openssl includes the code twice there must be a way to
extract the list from the library.

Have a nice ay,
Martijn van Oosterhout   <klep...@svana.org>   http://svana.org/kleptog/
> He who writes carelessly confesses thereby at the very outset that he does
> not attach much importance to his own thoughts.
   -- Arthur Schopenhauer

Attachment: signature.asc
Description: Digital signature

Reply via email to