Q: I am a bit confused by the limits to your question, the two parts: "have no access to the code internal to that application" A: Meaning that I'm working with a commercial pre-compiled application that was designed to use OpenSSL.exe, but does not allow you to "edit" how that application integrates with OpenSSL.exe
Q: and the: "special way to compile the executable" seem to conflict (at least in my mind). I suppose you know what you meant - I'll go with that assumption. ;-) A: I'm taklking about compiling a special version of OpenSSL.exe not the host application. When you say: "Server end: (not mentioned in your limits) - remove the unwanted ciphers from the openssl build. I.E: If the server doesn't have them, it can't offer them, and the client can choose one of them." That is EXACTLY what I want to do. But having a background as a SQL DBA, I have no idea how to do that. Is there an easy answer? The server will be running Windows 2003 32-Bit, and I just want to compile it with only the FIPS compliant strong ciphers. Any help is greatly appreciated. Thanks. -Tim Cloud ________________________________________ From: owner-openssl-us...@openssl.org [owner-openssl-us...@openssl.org] On Behalf Of Michael S. Zick [open...@morethan.org] Sent: Thursday, August 12, 2010 9:15 AM To: openssl-users@openssl.org Subject: Re: Cipher selection On Wed August 11 2010, Tim Cloud wrote: > Let's pretend for a moment that an out of the box application uses openssl to > provide access not through a browser, but rather through a SOAP client like > Eclipse. > And let's also say that you have no access to the code internal to that > application. > Is there any other way to limit the ciphers? > Some kind of config file or a special way to compile the executable? > The quick answer: cipher list is not limited by an external, run-time, config file. I am a bit confused by the limits to your question, the two parts: "have no access to the code internal to that application" and the: "special way to compile the executable" seem to conflict (at least in my mind). I suppose you know what you meant - I'll go with that assumption. ;-) The cipers that might be used are established by agreement between client and server - Two ends at which control might be effected. Client end: If the client uses the dynamic openssl libraries - just do the same as above. Client end: If the "I can't rebuild it" part of the client was staticly linked against the openssl libraries - then you will have to do a few handsprings - One possible choice - put a https (or other as required) proxy on your gateway - edit the cipher lists offered by client and/or server "on the fly". Note: Does not sound like fun to me. Mike > ________________________________________ > From: owner-openssl-us...@openssl.org [owner-openssl-us...@openssl.org] On > Behalf Of Kyle Hamilton [aerow...@gmail.com] > Sent: Wednesday, August 11, 2010 9:11 PM > To: openssl-users@openssl.org > Cc: Alex Chen > Subject: Re: Cipher selection > > No, OpenSSL chooses the cipher from the argument to > SSL[_CTX]_set_cipher_list(3ssl) called on the SSL or the SSL_CTX structure. > > On 8/11/10 4:57 PM, Alex Chen wrote: > > Does openssl choose the cipher from the pem file? If so, which section of > > the following pem file sets the cipher for communication? > > --------------------------------------------------------------------- > CONFIDENTIALITY NOTICE > This e-mail is intended for the sole use of the individual(s) to whom it is > addressed, and may contain information that is privileged, confidential and > exempt from disclosure under applicable law. You are hereby notified that > any dissemination, duplication, or distribution of this transmission by > someone other than the intended addressee or its designated agent is strictly > prohibited. If you receive this e-mail in error, please notify me > immediately by replying to this e-mail. > > --------------------------------------------------------------------- > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org --------------------------------------------------------------------- CONFIDENTIALITY NOTICE This e-mail is intended for the sole use of the individual(s) to whom it is addressed, and may contain information that is privileged, confidential and exempt from disclosure under applicable law. You are hereby notified that any dissemination, duplication, or distribution of this transmission by someone other than the intended addressee or its designated agent is strictly prohibited. If you receive this e-mail in error, please notify me immediately by replying to this e-mail. --------------------------------------------------------------------- ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
