On Mon, 16 Mar 1998, George Chung wrote:
> Perhaps I'm being naive, but it seems like it should be possible for an
> ssl peer to algorithmically specify the ordered list of preferred
> ciphersuites given the following information:
>
> 1. ordered list (in preference order) of available signature algorithms
> 2. ordered list (in preference order) of available integrity algorithms
> 3. ordered list (in preference order) of available encryption algorithms
> 4. for server, signature type (e.g., RSA, DSA, Fortezza, DH) of its
> certificate (NULL if no certificate)
> 5. for server, signature type (e.g., RSA, DSA, Fortezza) of ordered list
> (in preference order) of trusted root certificates
>
> Is this at all a reasonable idea?
>
> I'm struggling with how to expose this "choice" (ordering of ssl
> ciphersuites in preference order) to a user or an administrator through
> some INI or config file "knobs". I do NOT want to expose them to
> ordering strings like:
>
> SSL_RSA_WITH_RC4_MD5
> SSL_DHE_DSA_WITH_3DES_SHA
> etc.
>
> in a config file.
SSLeay does this of sorts. Each SSL/TLS cipher has a symetric cipher, a MAC,
a key-exchange and a authenticion component.
Try playing with 'ssleay ciphers -v <string>' where
ssleay ciphers -v DES3:SHA1:kRSA:aDSA:+aRSA:+RC4:!EXP:+EDH
ADH-DES-CBC3-SHA SSLv3 Kx=DH Au=None Enc=3DES(168) Mac=SHA1
ADH-DES-CBC-SHA SSLv3 Kx=DH Au=None Enc=DES(56) Mac=SHA1
DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
IDEA-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=IDEA(128) Mac=SHA1
DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5
DES-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5
IDEA-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=IDEA(128) Mac=MD5
RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5
RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
RC4-64-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(64) Mac=MD5
RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1
The order is the preference order. The plain name includes all ciphers with
that item, a +name 'pulls' all matching cipher to that point, (+DH+aRSA works
as expected). !name deletes all ciphers with that cipher (eNULL and aNULL, or
null encryption and null authenication are popular candidates for exclusing
:-). Anyway, the list of tags is in ssl.h (I think), and ssleay ciphers
should be used to verify the results, since there are some 'bugs' it 0.8.1.
eric
+-------------------------------------------------------------------------+
| Administrative requests should be sent to [EMAIL PROTECTED] |
| List service provided by Open Software Associates, http://www.osa.com/ |
+-------------------------------------------------------------------------+
