Thanks Dave. I could not find application explicitly calling SSL_set_cipher_list() anywhere and it seemed to be using new libraries. However as per your suggestion I am now setting the cipher list in the application before SSL_connect and it sends the desired ciphers.
Thanks, Gauri On Wed, May 4, 2011 at 3:05 AM, Dave Thompson <dthomp...@prinpay.com> wrote: > > From: owner-openssl-us...@openssl.org On Behalf Of Gauri > Kshirsagar > > Sent: Tuesday, 03 May, 2011 05:37 > > > I have built an SIP test application using openssl. I am trying > > to restrict the ciphers sent by this application in Client Hello > > to those with only RSA key exchange. > > > Is there a way to configure it in OpenSSL? > > > I tried to compile the source code with SSL_DEFAULT_CIPHER_LIST > > set to "RSA:!aNULL:!eNULL:+RC4:@STRENGTH" in ssl.h. > > !aNULL after (only) RSA is a no-op. > > > When I run openssl ciphers -v the ciphers listed are just those > with > RSA, > > > C:\Openssl_src\openssl-0.9.8f\openssl-0.9.8f\out32dll>openssl.exe > ciphers -v > <snip> > > but when I build the application using these new libraries > > the application still sends all the ciphers as shown below > <snip> > > 1. Make sure the application *runs* with your modified DLL(s). > On Unix the equivalent is explicit, but IME most Windows versions > formerly tried the executable's directory first and then PATH > but recent Windows security patches apparently changed this. > > 2. The default is only the default. If the application calls > SSL_[CTX_]set_cipher_list that overrides. Unless you have a > reason to make this change across your entire system (or > network) it's usually better for each application to configure > its own cipherlists than have 3 or 5 or 20 different OpenSSLs. > > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >
