> The case makes some things more clear:
I never said it didn't.
> There are lots of other ways to typo the input string.
Yup, but saying TLSV1 won't work while TLSv1 does work is silly.
> Perhaps there are currently no collisions, and case folding is likely safe,
> but I
> don't really see much benefit from this. I think that's the wrong problem to
> invest time in. Instead, things like the security level interface in
> "master",
> (which still needs some polish) are more like the way to go. The cipherlist
> mini-language is much too subtle for most users.
While I tend to agree (my test: explain the difference between ! and -), I have
seen people hurt by this particular problem. I happen not to be thrilled with
the security level interface, but that's me. Many people will find it useful.
It will not address the problems some of us have.
And as you point out, it's not done yet.
I'm talking a bugfix-level patch to turn strncmp() in ssl/ssl_ciph.c to
strncasecmp.
Does anyone see a PROBLEM with this?
/r$
--
Principal Security Engineer
Akamai Technologies, Cambridge MA
IM: rs...@jabber.me Twitter: RichSalz
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
