Lutz Jaenicke wrote:
>
> Hi,
>
> when running in server mode, I want to obtain a list of the ciphers the
> client presented (for debugging purposes).
> If did not miss anything (while reading the source and doing experiments
> with s_server and s_client, this list is obtained by calling
> SSL_get_shared_ciphers().
> While this might give me what I want, the name of the function is a bit
> misleading, isn't it?
> - Is this behaviour intended?
> - Should the the behaviour be changed (probably breaking existing code)?
>
> To reproduce, call "openssl s_server -cipher DEFAULT:-DSS" and call
> "openssl s_client -cipher DEFAULT", the server will still list the
> DSS ciphers. Call "openssl s_client -cipher DEFAULT:-DSS" and the
> server will not list them anymore, so what the server is going to list
> _is_ the list of ciphers listed by the client, not the list of shared
> ciphers. The last one would also include an evaluation of the available
> certs, because this further restricts the available certificates, see
> ssl3_choose_cipher().
>
Interesting. Maybe we should have a new function
SSL_get_common_ciphers() which does the right thing and
SSL_get_client_ciphers() for those sent by the client.
Also I note that s_server doesn't appear to list ciphers which it
doesn't recognise. This would be a useful addition so we could spot when
clients support new cipher suites.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]