----- Original Message ----- From: "Dr. Stephen Henson" <[EMAIL PROTECTED]> To: <openssl-users@openssl.org> Sent: Saturday, March 04, 2006 5:24 AM Subject: Re: How is default cipher selected ?
> On Sat, Mar 04, 2006, Urjit Gokhale wrote: > > > Hi All, > > > > I have an echo server (a C application) which uses SSL. > > In the serve, calling SSL_get_cipher() and SSL_get_cipher_version() after SSL_accept() returns this: > > ====== > > SSL cipher is : DES-CBC3-SHA > > SSL cipher version is : TLSv1/SSLv3 > > ====== > > > > I would like to know how this default cipher suite is selected? > > Is there any parameter in some configuration file? > > Is it related to the certificate that the server/client uses? <snip> Hi Steve, Thanks for replying. <snip> > The ciphersuites the server supports depends on a number of factors... > > 1. The type of certificates the server uses. Some require RSA some DSA others > ECDSA. How does this depend on the certificate? Is there some field in the certificate that specifies this? I need to know this in a little more detail as I will be creating my own CA and issuing certificates to my server and clients. > 2. Whether the server has a set of DH or ECDH parameters loaded. I will read more about DH and revert back if I have any more doubts on this. > 3. Which ciphersuites are explicitly disabled by the cipher string. Yes. I infact did try that in the server and could see it working. I used SSL_set_cipher_list() for this. > 4. Which ciphersuites are disable by the library compilation options: e.g > IDEA support may not be compiled in. Okay. In that case, how do I check if some ciphersuites, or any feature for that matter, is (un)available in the library ? What if the feature (a specific ciphersuite in this case) that I need is disabled in the library I am using? I belive the only solution to this is to take the source and build library with that feature enabled? This question is a bit important to me as I need to take a call between using libraries on the customer's machines, or statically linking my application with my library (the one that I know has all the required features enabled) and ship the library alongwith the application to the customer. What do you suggest regarding this ? > > Steve. Thanks, ~ Urjit ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
