After further study, I have accomplished my immediate goal by rebuilding sendmail with FFR_TLS_1 enabled which gives me a CipherList option, and a quick 'man ciphers' sets me down the path to strong ciphers.
So, I'm good to go. But, as a thought project, how would I do what I had originally asked - limit the library to just "strong" ciphers - most correctly? From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Diffenderfer, Randy Sent: Wednesday, August 18, 2010 12:43 PM To: openssl-users@openssl.org Subject: The best way to limit cipher strength What is the "correct" way to limit cipher suite strength, as in get rid of "weak" ciphers? I am contemplating building an openssl version with no support for export ciphers, and no support for SSLv2 cipher suites. I tried the config args of "no-ssl2" and "no-export", and got half the intended result. The SSLv2 suites are gone, but the export strength remains. So, what's the right way to do this? Thanks, rnd