Lutz Jaenicke wrote:
>
> On Tue, Nov 28, 2000 at 09:39:17AM +0000, Ben Laurie wrote:
> > > What OpenSSL does not offer is a server-side "cipher choice" callback.
> > > The client sends a list of ciphers and an openssl server will always choose
> > > the first of the ciphers it does support.
> >
> > The point is that he wants to vary the list according to whether the
> > client presented a cert or not. Hadn't really thought about a cipher
> > choice callback, but actually that might be a cool way to address the
> > problem.
>
> While such callback may be a good thing or not, I don't think it solves this
> specific problem. The TLS protocol implies that the server selects
> the cipher to be used, then sends its choice to the client together with
> the CertificateRequest. Only after this point it will learn, whether the
> client returned a certificate or not.
I hadn't checked on the order of these yet but this would obviously be a
sticking point.
> At this point only a ChangeCipherSpec could be used to change the cipher
> _after_ learning that there is no client certificate!?
Yes, though many clients seem to get rather flakey if this is done, so
whether it is a good idea is unclear.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
