Lutz wrote:
>
> > The only question that I have is where in the process of constructing
> > the ClientHello message should the client filter out KRB5 ciphers; and
> > where in the processing of the ClientHello message should the server
> > ignore KRB5 ciphers.
>
> I understand this in the way, that you are working _inside_ the OpenSSL
> library. The application does not see any modification!?
Correct. I am working inside the OpenSSL library. I am a strong
believer in making sure that things we can do right inside the library
are done inside the library so that application developers do not get
unexplained behavior simply because they forgot to do something. It
is an issue similar to the seeding of the PRNG. Don't trust the
application developer to know or understand everything that must be
done.
> > My guess at the moment is that the easist place is in the functions
> > that convert stacks of ciphers to/from byte streams of ciphers since
> > those functions must be called in all of the appropriate places.
>
> That would be one place to go. For the client, there is no other step
> involved than calling ssl_cipher_list_to_bytes().
> If you are not working _inside_ the OpenSSL library,
> you would check the condition, then call
> SSL_set_cipher_list(ssl, "Normal_string:-KRB5");
> to use the normal cipher string but no KRB ciphers, just before SSL_connect().
>
> For the server, the same applies for the "outside OpenSSL" approach,
> call SSL_set_cipher_list() as appropriate.
> Inside OpenSSL, you should have a look into the ssl3_choose_cipher()
> function.
Thanks. This is what I needed to know.
Great.
Jeffrey Altman * Sr.Software Designer
The Kermit Project * Columbia University
612 West 115th St * New York, NY * 10025 * USA
http://www.kermit-project.org/ * [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
