Fred Picher wrote: > Hello, > > Thanks for your reply. > > >> If this is not sufficient you may check out ssl/sslv3.c etc and >> actually remove the ciphers you don't want to support in your >> libssl from the registration tables. >> > > As a test, I've commented out every cipher definition in > ssl/s3_lib.c, like this example: > > The list is: > > OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ [...] } > > And a typical commented entry is: > > /* Cipher 05 */ > /* > { > 1, > SSL3_TXT_RSA_RC4_128_SHA, > SSL3_CK_RSA_RC4_128_SHA, > SSL_kRSA|SSL_aRSA|SSL_RC4 |SSL_SHA1|SSL_SSLV3, > SSL_NOT_EXP|SSL_MEDIUM, > 0, > 128, > 128, > SSL_ALL_CIPHERS, > SSL_ALL_STRENGTHS, > }, > */ > > None are left uncommented. But still, after make clean, > Configure, make depend, make and installation, the system > reports: > > openssl ciphers -v > DES-CBC3-MD5 SSLv2 Kx=RSA Enc=3DES(168) Mac=MD5 > RC2-CBC-MD5 SSLv2 Kx=RSA Enc=RC2(128) Mac=MD5 > RC4-MD5 SSLv2 Kx=RSA Enc=RC4(128) Mac=MD5 > DES-CBC-MD5 SSLv2 Kx=RSA Enc=DES(56) Mac=MD5 > EXP-RC2-CBC-MD5 SSLv2 Kx=RSA(512) Enc=RC2(40) Mac=MD5 export > EXP-RC4-MD5 SSLv2 Kx=RSA(512) Enc=RC4(40) Mac=MD5 export > > Which is much less than before but, where are these coming from > since eveything is commented out ? I do not mind that much the > low encryption ciphers, but the first three are a bother. I can > add more of the low encryption ciphers by uncommenting their > respective declaration, but I cannot get rid of the first three. > > Now, 3DES might by somehow dynamically added to the list when DES > is present. That could make sense and would mean that the actual > DES-specific code would have to be modified to separate 3DES. > > Would that be also the case for the two high-crypto RC2 and RC4 ? > Can they be variations added dynamically to the cipher list and > not have a proper static definition in ssl/s3_lib.c You did not read the fine print :-) The ciphers listed apply to SSLv2 second column of the output above. Hence you have to edit ssl/s2_lib.c as well (that was the "etc" :-)
Best regards, Lutz ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]