Again, thanks for the quick answer
>On Mon, Jun 26, 2000 at 01:11:58PM +0200, [EMAIL PROTECTED] wrote:
>> >the texts for SSLv2 and SSLv3 are the same, this is of no importance.
>> >What you really want is to use the 128bit domestic cipher and the 40bit
>> >cipher as a fallback:
>> > SSL_CTX_set_cipher_list(ctx, "RC-MD5:EXP-RC4-MD5");
>>
>> First of all thanks for that quick and very helpfull answer!
>> I just wonder why this cipher (RC-MD5) is not supported by default or am
I
>> wrong in this case?
>Huh, that of course is a typo, it is also called RC4-MD5 (with "4"), of
course...
>So: RC4-MD5:EXP-RC4-MD5 is the correct string.
Well, indeed, I realized it, what you see is a typical
"copy-and-paste-error". :)
>The ciphers should however be compiled in anyway. Provided you have a
standard build,
>you should get:
>> openssl ciphers
>EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DES-CBC3-MD5:DHE-DSS-RC4-SHA:IDEA-CBC-SHA:RC4-SHA:RC4-MD5:IDEA-CBC-MD5:RC2-CBC-MD5:RC4-MD5:RC4->64-MD5:EXP1024-DHE-DSS-RC4-SHA:EXP1024-RC4-SHA:EXP1024-DHE-DSS-DES-CBC-SHA:EXP1024-DES-CBC-SHA:EXP1024-RC2-CBC-MD5:EXP1024-RC4-MD5:EDH-RSA-DES-CBC-SHA>:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:DES-CBC-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5:EXP-RC2-CBC-M>D5:EXP-RC4-MD5
It is a standard build. I've tried to call SSL_CTX_set_cipher_list() with
this complete list, and the result was as if I didn't call the function, so
it really seems to be correct standard build. Probably I'll try some other
combinations later on to figure out what's Netscape's problem
(has to be something it between RC4-MD5:EXP-RC4-MD5 and the full list
above, I think)
>>
>> My special reason is that without the mentioned functioncall I get a
>>
>> "<title>Insufficient encryption</title><h1>Insufficient
encryption</h1>This
>> document requires a larger secret key size for
>> encryption than your browser is capable of supporting."
>>
>> -answer from the Domestic Server.
>> (see also my mail "Error: document requires a larger secret key size
for
>> encryption than your browser is capable of supporting", posted on June
22).
>> Since there was no response to this request I found this the only way to
>> solve my problem. In case you've got a better
>> solution, please let me know.
>Actually, the TLS specification says that the client lists its supported
ciphers sorted
>by preference. The server then selects one of it. In OpenSSL servers, the
server strictly
>honors the clients sorting and chooses the first one in the list that is
also supported
>by the server. The OpenSSL default ciphers are sorted by strength, so that
the server
>would select the strongest ciphers first and it should work as expected.
>In the special case you describe, it seems that the Netscape server is not
lucky with
>its cipher selection; it chooses one that for any reason whatsoever is
later found to
>be not sufficient. Maybe the check "sufficient or not" on the server side
is problematic.
>What cipher is chosen? I don't know what ciphers Netscape server
support...
in netscape's preferences there are the following ciphers possible (and
checked for my example):
SSL 2.0 ciphers:
RC4 with 128 bit encryption and MD5 message authentication
RC4 with 40 bit encryption and MD5 message authentication
RC2 with 128 bit encryption and MD5 message authentication
RC2 with 40 bit encryption and MD5 message authentication
DES with 56 bit encryption and MD5 message authentication
Triple DES with 168 bit encryption and MD5 message authentication
SSL 3.0 ciphers:
RC4 with 128 bit encryption and MD5 message authentication
RC4 with 40 bit encryption and MD5 message authentication
Triple DES with 168 bit encryption and SHA message authentication
DES with 56 bit encryption and SHA message authentication
RC2 with 40 bit encryption and MD5 message authentication
My problem began as I changed the point "Stronger Encryption" from
"Allow 40 bit secret key size for access" (default) to
"Require 128 bit secret key size for access".
Is it this unusual to use a Netscape-Server for SSL-Connections? (Nevertheless it's
not in my hand to choose at this time but who knows)
best regards,
Silvio Matthes
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
