On Tue, Nov 28, 2000 at 09:39:17AM +0000, Ben Laurie wrote:
> > What OpenSSL does not offer is a server-side "cipher choice" callback.
> > The client sends a list of ciphers and an openssl server will always choose
> > the first of the ciphers it does support.
>
> The point is that he wants to vary the list according to whether the
> client presented a cert or not. Hadn't really thought about a cipher
> choice callback, but actually that might be a cool way to address the
> problem.
While such callback may be a good thing or not, I don't think it solves this
specific problem. The TLS protocol implies that the server selects
the cipher to be used, then sends its choice to the client together with
the CertificateRequest. Only after this point it will learn, whether the
client returned a certificate or not.
At this point only a ChangeCipherSpec could be used to change the cipher
_after_ learning that there is no client certificate!?
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
