On Wed, Jan 22, 2003 at 10:31:17AM -0800, [EMAIL PROTECTED] wrote:
>
> I restricted the ciphers on OpenSSL server (Apache with OpenSSL) to say:
> ALL:!eNULL
>
> Case 1: On client side if I use SSL_set_cipher_list() to set the cipher to NULL-MD5
>and connect to the server, the handshake fails.
>
> Case 2: On client side if I set the cipher to EXP-RC4-MD5, the handshake succeeds.
>Now, if I close the socket and reuse the ssl structure (which essentially reuses the
>previous session) with cipher set to NULL-MD5 then the handshake succeeds.
> So it seems like when a session is reused the SSL server accept does not check if
>the cipher is allowed!
> Is this the desired behavior?
What is the cipher that is actually being used after the resumption in
your experiment?
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]