The ciphers man page contains the following text in the description of the SUITEB cipher strings:
If used these cipherstrings[sic] should appear first in the cipher list and anything after them is ignored. In actual fact, if anything appears after them, they are completely ignored. I.e., "SUITEB192:EXP" is identical to "EXP". Also, "SUITEB128:!NULL:!DES:!MD5" results in a cipher suite failure. It is fairly trivial to make the code behave as documented, simply add a strncmp() to the relevant if statements in ssl.ciph.c [check_suiteb_cipher_list()], like so: if (!strcmp(*prule_str, "SUITEB128") || !strncmp(*prule_str, "SUITEB128:", 10)) suiteb_flags = SSL_CERT_FLAG_SUITEB_128_LOS; else ... Please, do not change to documentation to match what the code is currently doing - some projects try to enforce better security by adding "!EXP:!NULL" or similar to the user provided cipher string. Allowing "SUITEB128:!EXP:!NULL" will avoid special handling for Suite B in those cases. Perhaps a better implementation would be to handle the SUITEB* ciphers more like the FIPS cipher, with names SSL_TXT_SUITEB128, SSL_TXT_SUITEB128ONLY, SSL_TXT_SUITEB192 defined, and algo_strength flags SSL_SUITEB128 and SSL_SUITEB192 defined. _______________________________________________ openssl-bugs-mod mailing list openssl-bugs-...@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev