On 2007.08.29 at 09:46:11 +0200, Andr? Ziermann wrote: > Hello all, > > I was playing with a snapshot of openssl of July 26th to learn more about > running SSL with GOST ciphers. > > So I tried to start an SSL server (openssl s_server) with a GOST2001 key and > a self signed certificate. > It does not work, saying that the certificate type is unknown.
For now, GOST ciphersuites in the snapshot are not fully implemented. We've implemented symmetric cipher support and record MAC (i.e. record protocol), few days ago I've send patch which implements handshake mac and PRF, but support of GOST authentication and key exchange is yet to be written (and then reviewed and accepted by core team). > When looking at the supported ciphersuites, there is no GOST cipher suite > among them. > The experimental(?) cipher suites GOST-MD5 and GOST-GOST94, which I found in > the sources, are not compiled with. They should be rather called debugging ciphersuites. These ciphersuites use RSA key exchange and authentication and GOST cipher in record protocol. They are here only to debug GOST support in record protocol, not for any use. > What should I do to get TEMP_GOST_TLS defined? (see s3_lib.c) Configure snapshot with command ./config shared -DTEMP_GOST_TLS > Are s_server and s_client ready to be run and tested with GOST keys and certs > when being compiled from the current openssl snapshot? > Are there other versions of openssl which are fitter to run SSL with GOST? See http://www.cryptocom.ru/OpenSource/OpenSSL_eng.html You'll find our unofficial patch to 0.9.8 version which supports ciphersuites, which are currently sumbitted as internet draft and are compatible with some commercial products (Cryptopro CSP, MagPro CSP). There are also few patches for widespread OpenSource applications which allow them to use GOST support in OpenSSL. For most application use of extra algorithms requires just reading of OpenSSL configuration file (and most applications where OpenSSL support was written long before version 0.9.7, do not do it), but few of them, most importantly Apache, require more changes. Don't hestitate to contact me directly if you want to know more about GOST in OpenSSL. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
