I can partially answer question #1. Yes, the client send the list of
ciphers it supports to the server. The server will then pick the
'strongest' cipher from the list for negotiating the session. The
priority is based on strength, best I can tell and differ between
server implementations. For instance IIS and Apache will negotiate
slightly different as far as what each considers 'stronger'.
If your definition of random is each web server platform being a bit
different in negotiation, then yes it is random ;) (sarcasm)
Hope that helps,
Brian Trzupek
On Mar 4, 2008, at 5:28 AM, Baur, Mateus (Brazil R&D-CL) wrote:
Hi All,
I have some doubts regarding OpenSSL cipher algorithms and I was
wondering if someone could help me with that.
1) If my understanding is correct, the client sends the list
of supported cipher algorithms and the server will choose one
algorithm of such list in order to establish the secure channel. Is
there some priority for the algorithms? For instances, will it favor
AES in lieu DES whenever supported by the client? Or is the
algorithm chosen randomly?
2) How is the symmetric key negotiated in OpenSSL? Does it use
Diffie-Hellman or RSA? Or does it vary depending on client request?
If the second, what is used if client supports both?
Thanks in advance,
Mateus