>From: owner-openssl-us...@openssl.org On Behalf Of Alex Chen >Sent: Friday, 12 October, 2012 21:31
>The 'openssl cipher -v' command shows the following cipher suites: <snip> >If both the client and server uses the sample version of openssl >library and they only calls OpenSSL_add_all_algorithms() >to initialize the cipher list. >I assume the first 'preferred' cipher, DHE-RSA-AES256-SHA, >will be used, correct? Not necessarily. If either client or server calls SSL_[CTX_]set_cipher_list that changes the list and order of ciphersuites it uses. If not, they will both use the default list, which is same default list used and shown by ciphers [-v] with no argument. The client sends its list in ClientHello. Unless you set "server preference" the server chooses the first ciphersuite in the client's list also in the server's list and usable. An RSA-DHE suite is only usable, and will only be chosen, if the server has an RSA key+cert configured and either a tmp_dh key (or maybe parameters?), or a tmp_dh_callback. (According to RFC, the cert must allow digitalSignature, but I don't think openssl enforces this.) ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
