Re: Enabling ADH without disabling RSA

Thu, 12 Aug 1999 06:44:22 -0700 

Hi,

My apologies, it IS working. I thought I had tried it but I guess I made a
mistake and linked to the wrong library (I have 4-5 different versions of the
compiled openssl libraries!). In order to get ADH to work I have to compile
the libraries either with NO_RSA or with SSL_ALLOW_ADH. When NO_RSA is
defined the ADH cipher suites are in the default cipher list (they are listed
by "openssl ciphers"). When compiled only with SSL_ALLOW_ADH ADH is not
enabled by default and I have to use

    SSL_CTX_set_cipher_list(ctx,
"ADH-DES-CBC3-SHA:ADH-DES-CBC-SHA:EXP-ADH-DES-CBC-SHA")

to enable it. With that last modification it works correctly. Thanks for the
response.


Vincent


Bodo Moeller wrote:

> Vincent Levesque <[EMAIL PROTECTED]>:
>
> > I'd like to be able to choose between ADH or RSA in my application
> > without recompiling the libraries. If I compile the library without RSA
> > and disable all certificate stuff in my application it falls back to
> > ADH-DES-CBC3-SHA like I want it to. If I compile with RSA that cipher
> > suite doesn't seem to be available. I've seen some discussion about
> > compiling the library with SSL_ALLOW_ADH but I've tried it and I get the
> > same result (no shared cipher suite). Is there anything else to do to
> > enable ADH when stronger cipher suites are available?
>
> Compiling the library with -DSSL_ALLOW_ADH should do.  It's somewhat
> weird that this apparently cannot be configured purely at run-time --
> it should be enough that ADH ciphers are not in SSL_DEFAULT_CIPHER_LIST.
> (Also it's weird that defining NO_RSA automatically defines
> SSL_ALLOW_ADH and puts ADH in the default cipher list -- the are also
> DSA certificates, after all.  I guess all this is subject to change.)
>
> In theory (and, likely, in future OpenSSL versions) it should be
> enough to use SSL[_CTX]_set_cipher_list with a cipher list that
> includes ADH.
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [EMAIL PROTECTED]
> Automated List Manager                           [EMAIL PROTECTED]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to