Re: filtering the cipher list at negotiation time

Tue, 28 Nov 2000 07:57:39 -0800 

On Tue, Nov 28, 2000 at 09:21:21AM -0500, Jeffrey Altman wrote:
> Given the direction this thread has taken I think I need to explain
> something about Kerberos 5 which I just assumed was a known fact.
> Kerberos 5 is not a public key algorithm.  It is a symetric key
> algorithm.  Therefore, both the client and the server must both have
> their respective credentials before the protocol negotiations begin,
> otherwise, failure is guarranteed.

It was good to explain things. I never touched kerberos, so maybe I 
even did not understand everything now.

> The only question that I have is where in the process of constructing
> the ClientHello message should the client filter out KRB5 ciphers; and
> where in the processing of the ClientHello message should the server
> ignore KRB5 ciphers.

I understand this in the way, that you are working _inside_ the OpenSSL
library. The application does not see any modification!?

> My guess at the moment is that the easist place is in the functions
> that convert stacks of ciphers to/from byte streams of ciphers since
> those functions must be called in all of the appropriate places.

That would be one place to go. For the client, there is no other step
involved than calling ssl_cipher_list_to_bytes().
If you are not working _inside_ the OpenSSL library,
you would check the condition, then call
  SSL_set_cipher_list(ssl, "Normal_string:-KRB5");
to use the normal cipher string but no KRB ciphers, just before SSL_connect().

For the server, the same applies for the "outside OpenSSL" approach,
call SSL_set_cipher_list() as appropriate.
Inside OpenSSL, you should have a look into the ssl3_choose_cipher()
function.

Best regards,
        Lutz
-- 
Lutz Jaenicke                             [EMAIL PROTECTED]
BTU Cottbus               http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik                  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus              Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to