OpenSSL
 » 
OpenSSL - User

openssl cipher suite query

View: New views
5 Messages — Rating Filter:   Alert me  

openssl cipher suite query

by achint dudhwala :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

If an application uses OpenSSL and doesn't set the Cipher suites explicitly,
 
1. Does it use the Openssl default cipher suite listed by "openssl ciphers -v"
2. As the default cipher suite contains export Cipher suites also, is there a chance of application using one among the export cipher suites.
3. How can we configure the application for not using the export cipher suites.

Yahoo! India has a new look. Take a sneak peek.

Re: openssl cipher suite query

by Mari-10 :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Good Morning,  Achint!

I think that you have to options, or you change your application, or your openssl.

To you change your openssl, see this :
http://groups.google.com.br/group/mailing.openssl.dev/browse_thread/thread/65b27a723255435e/eb5dcb25ab57d737?lnk=gst&q=MARIHOFFART#eb5dcb25ab57d737

Best Regards,
Mariana Hoffart Dias


On Fri, Oct 30, 2009 at 7:20 AM, achint dudhwala <achint_d@...> wrote:
If an application uses OpenSSL and doesn't set the Cipher suites explicitly,
 
1. Does it use the Openssl default cipher suite listed by "openssl ciphers -v"
2. As the default cipher suite contains export Cipher suites also, is there a chance of application using one among the export cipher suites.
3. How can we configure the application for not using the export cipher suites.

Yahoo! India has a new look. Take a sneak peek.



--
Mariana Hoffart Dias
Configuration Management
HST Software Solutions
HST     : 19 3294-0331
Cel     : 15 9107-0877
www.hst.com.br

Re: openssl cipher suite query

by Victor Duchovni :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

On Fri, Oct 30, 2009 at 02:50:55PM +0530, achint dudhwala wrote:

> 3. How can we configure the application for not using the export
> cipher suites.

If the application supports a configurable cipher list, use:

        DEFAULT:!EXPORT:!LOW:!SSLv2

unless you need to support pre-historic SSL peers that only support SSLv2,
in which case:

        DEFAULT:!EXPORT:!LOW

will work with OpenSSL versions that include SSLv2 ciphers in DEFAULT,
otherwise (the most release of 0.9.8 and 1.0 or later), you need to use:

        ALL:!aNULL:!EXPORT:!LOW:@STRENGTH

the "@STRENGTH" is not needed with 1.0 or later, as "ALL" is already
sensibly sorted, starting with 1.0.0 (currently in beta).

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@...
Automated List Manager                           majordomo@...

Re: openssl cipher suite query

by achint dudhwala :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

1. How can we configure it using configuration files. Which configuration file and which field to modify ? Some example usage would greatly help.
2. Can it be done using Openssl API instead of configuration files.
 
Thanks.
 
--- On Fri, 30/10/09, Victor Duchovni <Victor.Duchovni@...> wrote:

From: Victor Duchovni <Victor.Duchovni@...>
Subject: Re: openssl cipher suite query
To: openssl-users@...
Date: Friday, 30 October, 2009, 9:16 PM

On Fri, Oct 30, 2009 at 02:50:55PM +0530, achint dudhwala wrote:

> 3. How can we configure the application for not using the export
> cipher suites.

If the application supports a configurable cipher list, use:

    DEFAULT:!EXPORT:!LOW:!SSLv2

unless you need to support pre-historic SSL peers that only support SSLv2,
in which case:

    DEFAULT:!EXPORT:!LOW

will work with OpenSSL versions that include SSLv2 ciphers in DEFAULT,
otherwise (the most release of 0.9.8 and 1.0 or later), you need to use:

    ALL:!aNULL:!EXPORT:!LOW:@STRENGTH

the "@STRENGTH" is not needed with 1.0 or later, as "ALL" is already
sensibly sorted, starting with 1.0.0 (currently in beta).

--
    Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@...
Automated List Manager                           majordomo@...

Keep up with people you care about with Yahoo! India Mail. Learn how.

Re: openssl cipher suite query

by Victor Duchovni :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

On Tue, Nov 03, 2009 at 10:31:27AM +0530, achint dudhwala wrote:

> 1. How can we configure it using configuration files. Which
> configuration file and which field to modify?

OpenSSL is a development toolkit, not a product. Configuration settings
are an application issue: not an OpenSSL issue. Ask your application
provider. OpenSSL provides mechanisms for applications to specify a
preferred cipherlist, how applications decide which settings to apply
is up to them.

> 2. Can it be done using Openssl API instead of configuration files?

If you are writing your own application, see the documentation for:

    SSL_CTX_set_cipher_list(3)

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@...
Automated List Manager                           majordomo@...
Free embeddable forum powered by Nabble Forum Help