On Mon, Nov 27, 2000 at 08:11:17PM -0800, David Schwartz wrote:
>
> > Right. I want to ensure that the library does not choose KRB5 if the
> > library was compiled with KRB5 support but the server was not
> > configured for KRB5 use. (ie, no Kerberos 5 keytab file is provided)
>
> I have a similar issue. I'd like to be able to prefer 128-bit ciphers
> first, 168-bit ciphers second, and 56-bit ciphers lowest. Perhaps we can
> come up with one solution that meets both of our requirements. I'd suggest
> adding two hooks, one to control what ciphers are advertised to the client
> and one to select which common cipher is actually used.
The way that ciphersuite selection was supposed to work in SSLv3 and TLS is
that the client and server send their ciphersuites in an ordered
list with the most prefered first. The server then selects
the best match.
Unfortunately a rigorous description of this didn't get into either spec.
BTW, in SSLv3 and TLS the server doesn't advertise the ciphersuites
to the client.
--
Eric Murray Consulting Security Architect SecureDesign LLC
http://www.securedesignllc.com PGP keyid:E03F65E5
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
