Jeffrey Altman wrote:
>
> > Jeffrey Altman wrote:
> > > My guess at the moment is that the easist place is in the functions
> > > that convert stacks of ciphers to/from byte streams of ciphers since
> > > those functions must be called in all of the appropriate places.
> >
> > OK, but this seems like a nasty hack to me. Unfortunately I haven't got
> > time right now to investigate a less nasty hack.
> >
> > However, I did have occasion to wander through this area of the code a
> > while back, and I don't remember there being many places that would be
> > affected, and I also have a vague memory of there being some kind of
> > filtering going on already.
> >
> > BTW, if there's no callback into the app, are you envisaging a patch to
> > OpenSSL? Would it make OpenSSL Kerberos specific?
> >
> > Cheers,
> >
> > Ben.
>
> Vern, Richard and I are already working on adding support to OpenSSL
> for the Kerbeors 5 ciphers. All of the Kerberos library calls are
> being placed into two new source files in the ssl directory. The
> other affected files will only make calls to the new support
> functions. OpenSSL can be built with or without Kerbeors 5 support.
>
> The changes to ssl_lib.c will look something like
>
> #ifdef KRB5
> if ((cipher & KRB5_MASK) && !kssl_krb5_client_ready())
> skip cipher when building list;
> #endif
>
> and
>
> #ifdef KRB5
> if ((cipher & KRB5_MASK) && !kssl_krb5_server_ready())
> skip cipher when processing client's cipher list;
> #endif
>
> The change is really small. Is it a hack. Yes. But its a start. It
> can always be re-implemented in a better way later on.
Like you say, its a start. +1.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
