Re: filtering the cipher list at negotiation time

Mon, 27 Nov 2000 19:22:04 -0800 

> On Mon, Nov 27, 2000 at 04:11:31PM -0500, Jeffrey Altman wrote:
> > The way I see it, the KRB5 ciphers need to be filtered out at the
> > location where the Client Hello message is both constructed in the
> > client and processed in the server.  That is why I am looking at the
> > translation functions.  If KRB5 can't possibly succeed, don't offer
> > them to the server or ignore them on the server.
> 
> I am not sure whether I missed something. The list of ciphers available
> (that is: offered by the client and/or accepted by the server) is set
> with SSL_CTX_set_cipher_list() (or SSL_set_cipher_list(), respectively).
> Only the ciphers allowed there are offered from the client to the server;

Right. But the fact that an application says you can use KRB5:DSS does
not mean that at the time the connection is made the KRB5 could ever
succeed.  The client credentials may have expired.

Therefore, if the TLS client can determine at runtime that the
credentials are not available, it should prevent the KRB5 ciphers from
being offered to the server.

> the server will only pick a cipher if it was set using these functions.
> Actually, the useable list is even more restricted, a DSA cipher will
> only be chosen, if the server has a DSA certificate, ciphers with DH
> (this includes DSA ciphers) will only be chosen, if DH parameters are set...
> 
> What OpenSSL does not offer is a server-side "cipher choice" callback.
> The client sends a list of ciphers and an openssl server will always choose
> the first of the ciphers it does support.

Right.  I want to ensure that the library does not choose KRB5 if the
library was compiled with KRB5 support but the server was not
configured for KRB5 use.  (ie, no Kerberos 5 keytab file is provided)



                  Jeffrey Altman * Sr.Software Designer
                 The Kermit Project * Columbia University
               612 West 115th St * New York, NY * 10025 * USA
     http://www.kermit-project.org/ * [EMAIL PROTECTED]


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to