Fred Picher wrote:
> Hello all,
>
> I'd like to get all of the ciphers that are tagged 'export' as
> well as the 56-bit ones that are not. Eg.:
>
> (list somewhat shortened in width)
>
> EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH Enc=DES(56)
> EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Enc=DES(56)
> DES-CBC-SHA SSLv3 Kx=RSA Enc=DES(56)
> DES-CBC-MD5 SSLv2 Kx=RSA Enc=DES(56)
> EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Enc=DES(40) export
> EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Enc=DES(40) export
> EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Enc=DES(40) export
> EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Enc=RC2(40) export
> EXP-RC2-CBC-MD5 SSLv2 Kx=RSA(512) Enc=RC2(40) export
> EXP-RC4-MD5 SSLv3 Kx=RSA(512) Enc=RC4(40) export
> EXP-RC4-MD5 SSLv2 Kx=RSA(512) Enc=RC4(40) export
>
> I've tried using these names for Configure, as in:
>
> ../Configure no-DHE-RSA-AES256-SHA no-AES256-SHA
> no-EDH-RSA-DES-CBC3-SHA no-DES-CBC3-SHA (...) but that results in syntax
> errors such as:
>
> .../../include/openssl/opensslconf.h:75:31: error: missing ')'
> after "defined"
>
> .../../include/openssl/opensslconf.h:75:32: error: missing binary
> operator before token "SHA"
>
> Which are due to the presence of dashes in defines such as:
>
> openssl/opensslconf.h
> if defined(OPENSSL_NO_AES128-SHA)
> if defined(OPENSSL_NO_DHE-RSA-AES128-SHA)
>
> So on so forth.
>
> So, that's seemingly not the way to call ./Configure with the
> 'no-' option.
>
> Then I tried using:
>
> ../Configure no-aes no-rsa no-dss no-rc4 no-rc2
>
> This works, but gives only these two ciphers:
>
> openssl ciphers -v
> EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Enc=DES(56)
> EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Enc=DES(40) export
>
> What I'm trying to find is how to precisely have all of the
> 'export' ciphers along with the 56-bit ones not tagged as
> exportable. What would be the proper way to use the Configure
> 'no-' option to achieve this ?
>
> Thanks again for any suggestions/hints/comments !
>
The OpenSSL configuration tools do not support such limitation.
libcrypto does not support any limitation at all beyond removing
algorithms with the side effects you already noted. RC4 is a 128bit
algorithm. Its 40bit incarnation just uses 88 known bits to fill the
key.
You could adjust the ciphers supported by your own software
by selecting only the export ciphers
openssl ciphers -v EXP
see "man SSL_CTX_set_cipher_list".
If this is not sufficient you may check out ssl/sslv3.c etc and actually
remove the ciphers you don't want to support in your libssl from the
registration tables.
Best regards,
Lutz
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
