Re: DES-only OpenSSL version: technical aspects

Fri, 15 Aug 2008 08:11:34 -0700 

Hello,

Thanks for your reply.  

> If this is not sufficient you may check out ssl/sslv3.c etc and
> actually remove the ciphers you don't want to support in your
> libssl from the registration tables.

As a test, I've commented out every cipher definition in
ssl/s3_lib.c, like this example:

The list is:

OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ [...] }

And a typical commented entry is:

/* Cipher 05 */
/*
        {
        1,
        SSL3_TXT_RSA_RC4_128_SHA,
        SSL3_CK_RSA_RC4_128_SHA,
        SSL_kRSA|SSL_aRSA|SSL_RC4  |SSL_SHA1|SSL_SSLV3,
        SSL_NOT_EXP|SSL_MEDIUM,
        0,
        128,
        128,
        SSL_ALL_CIPHERS,
        SSL_ALL_STRENGTHS,
        },
*/

None are left uncommented.  But still, after make clean,
Configure, make depend, make and installation, the system
reports:

openssl ciphers -v
DES-CBC3-MD5            SSLv2 Kx=RSA      Enc=3DES(168) Mac=MD5
RC2-CBC-MD5             SSLv2 Kx=RSA      Enc=RC2(128)  Mac=MD5
RC4-MD5                 SSLv2 Kx=RSA      Enc=RC4(128)  Mac=MD5
DES-CBC-MD5             SSLv2 Kx=RSA      Enc=DES(56)   Mac=MD5
EXP-RC2-CBC-MD5         SSLv2 Kx=RSA(512) Enc=RC2(40)   Mac=MD5  export
EXP-RC4-MD5             SSLv2 Kx=RSA(512) Enc=RC4(40)   Mac=MD5  export

Which is much less than before but, where are these coming from
since eveything is commented out ?  I do not mind that much the
low encryption ciphers, but the first three are a bother.  I can
add more of the low encryption ciphers by uncommenting their
respective declaration, but I cannot get rid of the first three.

Now, 3DES might by somehow dynamically added to the list when DES
is present.  That could make sense and would mean that the actual
DES-specific code would have to be modified to separate 3DES.

Would that be also the case for the two high-crypto RC2 and RC4 ?
Can they be variations added dynamically to the cipher list and
not have a proper static definition in ssl/s3_lib.c ?

Any suggestions/hints/comments are very much appreciated.

Cheers.




      __________________________________________________________________
Yahoo! Canada Toolbar: Search from anywhere on the web, and bookmark your 
favourite sites. Download it now at
http://ca.toolbar.yahoo.com.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to