--- Urjit Gokhale <[EMAIL PROTECTED]> wrote:
> Hi, > Thanks for the reply.> > Urjit, > > > > > > I got it working once I replaced > > > "EXP-DES-CBC-SHA" with > > > "DES-CBC-SHA" > > > > > > I think you might have to do something special > to > > > enable export quality ciphers. > > > > > > > They can place restrictions on the size of the RSA > key used for kex > exchange. > > That means that if the key in the certificate is > larger than the limit a > > temporary RSA key is used instead. You need to > supply that. > > > Well ... In that case, > A] how is it that s_server and s_client can > communicate > 1) Using the same ssl library > 2) Using the same certificates > 3) Using the same cipher suits You mean can't , don't u? That is bcoz SSL protocol itself is different in the export case. As Steve mentioned there is an additional key exchange stage, kex in the case of export ciphers. > > B] How is it that my sample_client connects to > s_server using > "EXP-DES-CBC-SHA" ? Does this mean that ristrictions > are applied only at the > server side? Or is it just that the server is the > first one to process the > certificate and fails to do so due to different RSA > key size, and s_server > somehow manages to handle exportable cipher suite > and the presented > certificate (?) ? In fact I commented out ur client cert stuff. Server is king in SSL. :-) Client hardly matters. > > Another question is: > Is it only the key size restrictions or something > else as well, that is > different between EXP-DES-CBC... and DES-CBC... ? > Also, what are the general scenarios when one would > prefer an exportable > cipher suite over non-exportable cipher suits? Other than key strength there would be no other consideration IMHO. > > > Steve. > > ~ Urjit > > > DISCLAIMER > ========== > This e-mail may contain privileged and confidential > information which is the property of Persistent > Systems Pvt. Ltd. It is intended only for the use of > the individual or entity to which it is addressed. > If you are not the intended recipient, you are not > authorized to read, retain, copy, print, distribute > or use this message. If you have received this > communication in error, please notify the sender and > delete all copies of this message. Persistent > Systems Pvt. Ltd. does not accept any liability for > virus infected mails. > ______________________________________________________________________ > OpenSSL Project > http://www.openssl.org > User Support Mailing List > openssl-users@openssl.org > Automated List Manager > [EMAIL PROTECTED] > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
