Nelson B Bolyard wrote:
The client sends the server a list, saying "these are
the cipher suites that I (client) support." The server picks one,
and says "we'll use this one". The server never says "I support all
of these."
To give a concrete example of this, with the Apache 2.0 web server and
the MOD_SSL Apache module server-side selection of a ciphersuite is
under control of the SSLCipherSuite directive:
http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslciphersuite
Using this directive you can completely control the list of ciphersuites
from which the server makes its (single) choice of ciphersuite,
including the order of preference in the (typical) case where the client
supports multiple ciphersuites.
The various ways in which you can specify ciphersuite preferences in
Apache are somewhat complicated, but if you just want the server to
support only null ciphersuites then it is pretty straightforward: You
can just specify
SSLCipherSuite NULL
to have your server support any null ciphersuite (and only null
ciphersuites), or (for example)
SSLCipherSuite NULL-SHA
to have the server support only the NULL-SHA ciphersuite (the SSLv3 null
ciphersuite using RSA and SHA1).
As noted in the Apache documentation, for MOD_SSL you can use the
command 'openssl ciphers -v' to verify the list of ciphersuites that the
server will be using; thus for example the output of the command
openssl ciphers -v 'NULL'
shows that using the Apache MOD_SSL directive 'SSLCipherSuite NULL' the
server's list of supported ciphersuites will be AECDH-NULL-SHA,
ECDH-RSA-NULL-SHA, ECDH-ECDSA-NULL-SHA, NULL-SHA, and NULL-MD5 in that
order.
Frank
--
Frank Hecker
[EMAIL PROTECTED]
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
