The application calls openssl.exe, and does not use the libeay32.dll. Is there an "easy way" to compile the executable with only the "STRONG" cipher suite?
Thanks. Timothy Cloud MSPRC Database Manager Chickasaw Nation Industries (405) 869-3358 (Office) (405) 568-9752 (Cell) -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Jakob Bohm Sent: Monday, August 16, 2010 4:18 AM To: openssl-users@openssl.org Subject: Re: Cipher selection On 12-08-2010 18:03, Tim Cloud wrote: > Q: I am a bit confused by the limits to your question, the two parts: "have > no access to the code internal to that application" > A: Meaning that I'm working with a commercial pre-compiled application that > was designed to use OpenSSL.exe, but does not allow you to "edit" how that > application integrates with OpenSSL.exe > Please double check what your exact situation is: Does the application in question use openssl.exe or its DLL libeay32.dll, the solution will be very different in those two cases. > Q: and the: "special way to compile the executable" seem to conflict (at > least in my mind). > I suppose you know what you meant - I'll go with that assumption. ;-) > A: I'm taklking about compiling a special version of OpenSSL.exe not the host > application. > > When you say: "Server end: (not mentioned in your limits) - remove the > unwanted ciphers from the openssl build. > I.E: If the server doesn't have them, it can't offer them, and the client can > choose one of them." > > That is EXACTLY what I want to do. But having a background as a SQL DBA, I > have no idea how to do that. > Is there an easy answer? The server will be running Windows 2003 32-Bit, and > I just want to compile it with only the FIPS compliant strong ciphers. > Any help is greatly appreciated. > Again, the answer depends if the server uses openssl.exe or libeay32.dll One answer you might use in either case is to add a bunch of "noxxx" arguments to the "perl Configure" command line early in the build of openssl. This way you can disable a lot of unwanted ciphers (but not specific cipher suites), by effectively removing their implementation code completely. > ________________________________________ > From: owner-openssl-us...@openssl.org [owner-openssl-us...@openssl.org] On > Behalf Of Michael S. Zick [open...@morethan.org] > Sent: Thursday, August 12, 2010 9:15 AM > To: openssl-users@openssl.org > Subject: Re: Cipher selection > > On Wed August 11 2010, Tim Cloud wrote: >> Let's pretend for a moment that an out of the box application uses openssl >> to provide access not through a browser, but rather through a SOAP client >> like Eclipse. >> And let's also say that you have no access to the code internal to that >> application. >> Is there any other way to limit the ciphers? >> Some kind of config file or a special way to compile the executable? >> > > The quick answer: > cipher list is not limited by an external, run-time, config file. > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org --------------------------------------------------------------------- CONFIDENTIALITY NOTICE This e-mail is intended for the sole use of the individual(s) to whom it is addressed, and may contain information that is privileged, confidential and exempt from disclosure under applicable law. You are hereby notified that any dissemination, duplication, or distribution of this transmission by someone other than the intended addressee or its designated agent is strictly prohibited. If you receive this e-mail in error, please notify me immediately by replying to this e-mail. --------------------------------------------------------------------- ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
