On Wed, Dec 17, 2003, Dr. Stephen Henson wrote: > IIRC the client hello reports the supported ciphersuites in order of preference and > the OpenSSL server code will > normally use the first one from that list that it supports. The actual ciphersuites > supported by the server may be > less than those OpenSSL supports because some require DH parameters and others a DSA > certificate.
> It is possible to override the clients preference though and use a server preferred > ciphersuite. > You could try disabling some ciphersuites with the server cipher string to see if > others will work. Steve, thanks for your explanation. I am very familiar with the protocol itself and understand your proposal, but I am a newbie to the openssl/libssl area. Please can you give me some hint where I can change the parameters you were talking about since I have no idea. Regards, Markus -----Original Message----- From: Dr. Stephen Henson [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 17. Dezember 2003 23:54 To: [EMAIL PROTECTED] Subject: Re: Libssl chooses wrong cipher suite during TLS authentication On Wed, Dec 17, 2003, Obermeier Markus ICM MP PD TS wrote: > Dear all, > > I am working on a EAP/TLS authentication with Freeradius and the > Odessey client. After a client hello message with a bunch of cipher > suites, the odyssey client receives a server hello message with one > cipher suites. It responds with a TLS Alert message that tells the > server the cipher suite selection has been fatal! > > At the end I attached the complete protocol as well for further > studies. > > How does Libssl choose the cipher suite? > IIRC the client hello reports the supported ciphersuites in order of preference and the OpenSSL server code will normally use the first one from that list that it supports. The actual ciphersuites supported by the server may be less than those OpenSSL supports because some require DH parameters and others a DSA certificate. It is possible to override the clients preference though and use a server preferred ciphersuite. You could try disabling some ciphersuites with the server cipher string to see if others will work. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
