On Mon, Jun 18, 2007 at 01:44:52PM -0700, David Schwartz wrote:
>
> > Hello,
> >
> > is there a way to ascertain that the data I am BIO-putting to an
> > HTTPS server
> > are actually encrypted, apart from watching the data flows from my openssl
> > application to the server, using tcpdump?
> >
Unless *both* the client and server cipherlists include "eNULL" ciphers,
and no better cipher is negotiated, plaintext does not happen. The DEFAULT
(and even the "ALL") cipherlist for OpenSSL excludes null ciphers You have
to go out of your way to enable these:
$ openssl ciphers -v COMPLEMENTOFALL
NULL-SHA SSLv3 Kx=RSA Au=RSA Enc=None Mac=SHA1
NULL-MD5 SSLv3 Kx=RSA Au=RSA Enc=None Mac=MD5
The algorithm bit strength for these is zero, this can be checked using
the appopriate APIs. Whether 40 bit RC4 is much better than "NULL"
is another matter.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
