Well, one problem is that "strcasecmp" is not in the Standard C Library, and in fact is illegal, because external identifiers beginning with "str" are reserved to the implementation.
There is no standard case-insensitive string-comparison function in C. You have to write your own. Here's one: #include <ctype.h> int cmpstri(const char *s1, const char *s2) { const unsigned char *us1 = (const unsigned char *)s1, *us2 = (const unsigned char *)s2; /*** Handle null inputs. This function treats null strings as equal to one another and less than non-null strings. Some applications might prefer different semantics (e.g. treating null strings as empty strings). ***/ if (!s1 && !s2) return 0; else if (!s1) return -1; else if (!s2) return 1; /*** Compare strings. Use unsigned char because tolower is not guaranteed with signed input, and plain char may be signed (implemenation-dependent). ISO 9899-1990 7.3. ***/ while (*us1 || *us2) { unsigned char l1 = tolower(*us1), l2 = tolower(*us2); if (l1 < l2) return -1; if (l2 > l1) return 1; us1++, us2++; } return 0; } (Untested, but copied with some modifications from an existing implementation.) That said, I agree that case-insensitive comparison would be a good idea here. -- Michael Wojcik Technology Specialist, Micro Focus > -----Original Message----- > From: owner-openssl-us...@openssl.org [mailto:owner-openssl- > us...@openssl.org] On Behalf Of Salz, Rich > Sent: Friday, 15 August, 2014 14:36 > To: openssl-users@openssl.org > Subject: RE: Case-sensitive cipher names are a bad idea > > > The case makes some things more clear: > > I never said it didn't. > > > There are lots of other ways to typo the input string. > > Yup, but saying TLSV1 won't work while TLSv1 does work is silly. > > > Perhaps there are currently no collisions, and case folding is likely safe, > but I > > don't really see much benefit from this. I think that's the wrong problem > to > > invest time in. Instead, things like the security level interface in > "master", > > (which still needs some polish) are more like the way to go. The > cipherlist > > mini-language is much too subtle for most users. > > While I tend to agree (my test: explain the difference between ! and -), I > have seen people hurt by this particular problem. I happen not to be > thrilled with the security level interface, but that's me. Many people will > find it useful. It will not address the problems some of us have. > > And as you point out, it's not done yet. > > I'm talking a bugfix-level patch to turn strncmp() in ssl/ssl_ciph.c to > strncasecmp. > > Does anyone see a PROBLEM with this? > > /r$ > > -- > Principal Security Engineer > Akamai Technologies, Cambridge MA > IM: rs...@jabber.me Twitter: RichSalz > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org This message has been scanned for malware by Websense. www.websense.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org