Lutz Jaenicke wrote:
> 
> Hi,
> 
> when running in server mode, I want to obtain a list of the ciphers the
> client presented (for debugging purposes).
> If did not miss anything (while reading the source and doing experiments
> with s_server and s_client, this list is obtained by calling
> SSL_get_shared_ciphers().
> While this might give me what I want, the name of the function is a bit
> misleading, isn't it?
> - Is this behaviour intended?
> - Should the the behaviour be changed (probably breaking existing code)?
> 
> To reproduce, call "openssl s_server -cipher DEFAULT:-DSS" and call
> "openssl s_client -cipher DEFAULT", the server will still list the
> DSS ciphers. Call "openssl s_client -cipher DEFAULT:-DSS" and the
> server will not list them anymore, so what the server is going to list
> _is_ the list of ciphers listed by the client, not the list of shared
> ciphers. The last one would also include an evaluation of the available
> certs, because this further restricts the available certificates, see
> ssl3_choose_cipher().
> 

Interesting. Maybe we should have a new function
SSL_get_common_ciphers() which does the right thing and
SSL_get_client_ciphers() for those sent by the client.

Also I note that s_server doesn't appear to list ciphers which it
doesn't recognise. This would be a useful addition so we could spot when
clients support new cipher suites.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to