On Wed, May 15, 2013 at 12:58:37AM +0000, Santhosh Kokala wrote:
> I have a use case where an admin can configure the Ciphers from
> UI. I have this code in the backend that tries to set the cipher
>
> meth = TLSv1_client_method();
>
> ctx = SSL_CTX_new(meth);
>
> sslretval = SSL_CTX_set_cipher_list(ctx, ts_str(cipher));
>
> When a user sets a cipher such as "MD5" when the device is in
> FIPS mode the above call returns an error code. I am thinking to
> validate the input cipher against the list of FIPS supported ciphers
> before calling SSL_CTX_set_cipher_list(). Is there a function where
> I can get a list of FIPS supported ciphers?
The OpenSSL cipherlist strings is a rather subtle language, I would
not expose it directly to users. Instead define a menu of cipher
grades, and have the administrator choose from that. The menu
of cipher grades should:
- Be monotone. Each grade restricts the cipher list to increasingly more
secure options. The sets of underlying ciphers corresponding to each
grade should form a total order under set inclusion.
- Be pre-validated. Don't give users choices that make them feel stupid
when their choice is rejected as invalid.
- Be something the user can understand.
For example, Postfix provides the grades "export", "low", "medium" and
"high". Unlike the OpenSSL "EXPORT", "LOW", "MEDIUM" and "HIGH" the
Postfix grades are inclusive of all stronger ciphers:
export = EXPORT + LOW + MEDIUM + HIGH
low = LOW + MEDIUM + HIGH
medium = MEDIUM + HIGH
high = HIGH
the actual definitions are more complex and are approximately:
export = ALL:@STRENGTH
low = ALL:!EXPORT:@STRENGTH
medium = ALL:!EXPORT:!LOW:@STRENGTH
high = ALL:!EXPORT:!LOW:!MEDIUM:@STRENGTH
this avoids including eNULL and other ciphers normally omitted from
ALL. You may want "DEFAULT" rather than "ALL", if anonymous ciphers
are not appropriate in your application.
If the underlying choices need to be configurable, that should
generally not be via the UI, rather via a configuration file of
some sort.
This assumes your users are normal users, not SSL protocol testers
who want fine-grained control and understand OpenSSL ciphers in
detail.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]
