On 12-08-2010 18:03, Tim Cloud wrote:
Q: I am a bit confused by the limits to your question, the two parts: "have no
access to the code internal to that application"
A: Meaning that I'm working with a commercial pre-compiled application that was designed
to use OpenSSL.exe, but does not allow you to "edit" how that application
integrates with OpenSSL.exe
Please double check what your exact situation is:
Does the application in question use openssl.exe or its DLL
libeay32.dll, the solution will be very different in those two
cases.
Q: and the: "special way to compile the executable" seem to conflict (at least
in my mind).
I suppose you know what you meant - I'll go with that assumption. ;-)
A: I'm taklking about compiling a special version of OpenSSL.exe not the host
application.
When you say: "Server end: (not mentioned in your limits) - remove the unwanted
ciphers from the openssl build.
I.E: If the server doesn't have them, it can't offer them, and the client can choose
one of them."
That is EXACTLY what I want to do. But having a background as a SQL DBA, I
have no idea how to do that.
Is there an easy answer? The server will be running Windows 2003 32-Bit, and I
just want to compile it with only the FIPS compliant strong ciphers.
Any help is greatly appreciated.
Again, the answer depends if the server uses openssl.exe or libeay32.dll
One answer you might use in either case is to add a bunch of "noxxx"
arguments to the "perl Configure" command line early in the build
of openssl. This way you can disable a lot of unwanted ciphers
(but not specific cipher suites), by effectively removing their
implementation code completely.
________________________________________
From: owner-openssl-us...@openssl.org [owner-openssl-us...@openssl.org] On
Behalf Of Michael S. Zick [open...@morethan.org]
Sent: Thursday, August 12, 2010 9:15 AM
To: openssl-users@openssl.org
Subject: Re: Cipher selection
On Wed August 11 2010, Tim Cloud wrote:
Let's pretend for a moment that an out of the box application uses openssl to
provide access not through a browser, but rather through a SOAP client like
Eclipse.
And let's also say that you have no access to the code internal to that
application.
Is there any other way to limit the ciphers?
Some kind of config file or a special way to compile the executable?
The quick answer:
cipher list is not limited by an external, run-time, config file.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
