Richard Levitte via RT wrote:
> Hmm, there's a problem that haven't been addressed at all by the
> IETF. SSLv3 contains the following as part of it's ciphersuite:
>
> The final cipher suites are for the FORTEZZA token.
>
> CipherSuite SSL_FORTEZZA_KEA_WITH_NULL_SHA = {
> 0X00,0X1C };
> CipherSuite SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA = {
> 0x00,0x1D };
> CipherSuite SSL_FORTEZZA_KEA_WITH_RC4_128_SHA = {
> 0x00,0x1E };
>
> Please note how the last one clashes with the first of the KRB5
> suite. Also, when one looks at RFC 2246 (TLS), there's this note at
> the end of section A.5:
My understanding of the history is that the original SSLv3 spec only
included the first two (see
http://wp.netscape.com/eng/ssl3/4-APPN.HTM#A-6). A later version
(http://wp.netscape.com/eng/ssl3/draft302.txt) added the third one, but
that never made it into RFC2246 and escaped the attention of the authors
of RFC2712.
As for a solution for OpenSSL, one option would be to disable
(completely or in the default Kerberos enabled configuration) the
ciphersuite 0x00 0x1E, which is only 56 bit DES anyway
(TLS_KRB5_WITH_DES_CBC_SHA).
Andreas.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
