> On 3/29/06, berle oliver <[EMAIL PROTECTED]> wrote: >>I also found this thread which I didn't see earlier >>http://groups.google.com/group/netscape.public.mozilla.crypto/browse_frm/thread/c7e57b3e6fa84bc9/0e2b74e796baf1e7?&hl=en#0e2b74e796baf1e7 >> >>This works but introduces a new problem: >>In order for it to work I have to disable all the >>other types of encryption. As a result, other SSL >>connections complain with messages like "Firefox and >>XXX have no common encryption algorithms" which makes >>sense but is not something I want. My question now is >>whether it is possible to set the cipher suite to use >>per connection rather than globally so as not to >>disrupt other sites. Thanks!
No, that is not possible in the browser. If your server doesn't want to do encryption, disable the encryption-based cipher suites in the server. Kyle Hamilton wrote: > TLS and SSL work by finding the "highest-rated" algorithm that both > sides support. Not exactly. The client sends the server a list, saying "these are the cipher suites that I (client) support." The server picks one, and says "we'll use this one". The server never says "I support all of these." The server may pick ANY of the suites that are mutually supported. Typically a server tries to pick the strongest mutually supported suite. But a specialized server might pick the weakest mutually supported one. > You could conceivably perform a standard handshake, > determine that the connection doesn't need the encryption, and then > force a renegotiation with only the NULL ciphers. Who would "determine that the connection doesn't need the encryption"? Presumably the server. If the server never needs it then negotiate a non-encryption cipher suite in the first handshake. > (This would also allow you to determine if the client has the NULL > ciphersets enabled, I believe, as I think the protocol tells both > sides what the other side supports.) SSL2 worked differently from SSL3+TLS in this respect. SSL3+TLS work as I described above. SSL2 had the client send a list of all its supported cipher suites to the server, then the server sent a list back to the client, and the client then chose one from the intersection of the two lists. But in practice, the server chose, because the server would send back a list that had only one cipher suite in it, the one that it wanted to use, which narrowed the client's choices considerably. ;) /Nelson _______________________________________________ dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
