Jeffrey Altman wrote:
>
> Ben wrote:
> >
> > Jeffrey Altman wrote:
> > >
> > > For the Kerberos 5 ciphers, I want to filter the allowed ciphers based
> > > upon whether or not there is a keytab file on the server side; or
> > > client credentials on the client side. Could some one point out to me
> > > the appropriate place in the SSL code to insert these filters?
> >
> > The first one sounds like you can do it in advance (i.e. before the
> > connection is established), in which case, you need
> > SSL_CTX_set_cipher_list(). The second you just check after the
> > connection is established, using SSL_get_cipher().
> >
> > Or were you wanting to do something more sophisticated?
> >
>
> I was thinking of something more sophisticated but this might be good
> enough. I assume you meant SSL_get_ciphers() and not
> SSL_get_cipher()?
No, I meant what I said.
> Perhaps a better place to put it in the client would be in
> ssl_cipher_list_to_bytes() and for the server
> ssl_bytes_to_cipher_list() as they appear to translator/filter
> functions that are used in the appropriate places.
That doesn't sound quite right, no - there is a place where a list of
negotiable ciphers is assembled, but I can't remember where off the top
of my head - somewhere in ssl/*.c - I guess that if that happens after
the client cert has been handled, you could do it there.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
