On Wed, Feb 08, 2006 at 12:53:26PM -0700, Kyle Hamilton wrote:
> Check the documentation for the various levels to see what each cipher
> falls into. Specifically, "LOW" is any 40 or 56-bit cipher, and 768
> bytes or below RSA key. MEDIUM is any 128 bit cipher (except AES) and
> 1024 bits or more of RSA key. HIGH is any 256-bit cipher, any AES
> cipher, and 2048+ bits of RSA key. That's the general breakdown, as
> far as I recall (from earlier discussions on this list).
>
I am looking for supported API interfaces, not internal structure
details. I am asking how to check whether the current cipher is a member
of the cipher list for a given cipher rule string that the administrator
may specify as indicating a "secure-channel" encryption level.
$ openssl ciphers -v 'HIGH:MEDIUM:!ADH:!SSLv2:@STRENGTH'
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
DHE-DSS-RC4-SHA SSLv3 Kx=DH Au=DSS Enc=RC4(128) Mac=SHA1
KRB5-RC4-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(128) Mac=MD5
KRB5-RC4-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(128) Mac=SHA1
RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
KRB5-DES-CBC3-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=3DES(168) Mac=MD5
KRB5-DES-CBC3-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=3DES(168) Mac=SHA1
Nothing here about RSA key lengths, just symmetic key sizes. Presumably
the asymmetric ciphers have appropriate minimum key lengths when used
with strong symmetric ciphers, but in any case, the question is how
to query for cipher list membership.
Some of the relevant functions are and
SSL_set_cipher_list()
SSL_get_cipher_list()
it looks like I could construct a dummy "SSL", apply the cipher spec
to it (rather than the SSL associated with the actual session, since
it is not clear what the consequences of changing its cipher list may
be), then look for the current cipher on the list.
Is there a better way? Is this a sensible interface, or would I be
better off just asking the administrator for a bit strength. I
would like an answer from someone is prepared to go beyond the
documentation. I have read it, and read much of the relevant code
also.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
