On Mon, Dec 06, 2010 at 11:36:01AM -0600, Mike Brennan wrote:
> It seems that Openssl doesn't always obey the server's priority
s/doesn't always obey/never by default obeys/
> ordered list of ciphers (set with SSL_set_cipher_list()), even when
> that list is syntactically correct, when the ciphers are available,
> and when the client capabilities don't constrain the choice.
By default the server respects the client's priority. If you want
the server to pre-empt the client's preference list, try:
SSL_CTX_set_options(3) or SSL_set_options(3):
SSL_OP_CIPHER_SERVER_PREFERENCE
When choosing a cipher, use the server's preferences instead of
the client preferences. When not set, the SSL server will always
follow the clients preferences. When set, the SSLv3/TLSv1 server
will choose following its own preferences. Because of the differ-
ent protocol, for SSLv2 the server will send his list of prefer-
ences to the client and the client chooses.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
