On Fri, May 24, 2002 at 03:21:02PM -0700, Shyamal Kumar wrote:
> In the openssl library code, i notice that the array of SSL_CIPHER
> structures in s3_lib.c is what determines the order in which cipher
> suites are searched when processing a client hello. Is that right? would
> this mean, that if i want to give preference to DES-CBC-SHA over
> EDH-RSA-DES-CBC-SHA, when negotiating with a client, i can shift the
> array elements one over the other to achieve this? or do i have to do
> something different?
In OpenSSL versions up to and including 0.9.6x, the library implements the
RFC requirement "server chooses according to the preferences of the client"
in a quite straightforward manner: the first cipher in the list sent by
the client is chosen, that is also supported by the server. The sorting
at the server side is simply ignored.
Starting with 0.9.7 the SSL_OP_CIPHER_SERVER_PREFERENCE option is available,
that let's the server choose along its preference. Starting with 0.9.7
your intended behaviour can be realized.
> i am trying to get around the fact that we have edh support in the code,
> but we want to avoid it unless absolutely necessary.
EDH does cost performance but it does also get you another step in
security. I would recommend you to keep EDH as a preference and only
than fall back to non-EDH ciphers as it is now.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
