Update docs.
(instead of parameters) in future.
[Steve Henson]
- *) Apply Lutz Jaenicke's 56bit cipher patch. This should fix the problems
- with cipher ordering and the new EXPORT1024 ciphers. Only two minor
- changes have been made, the error reason codes have been altered and the
- @STRENGTH sorting behaviour changed so eNULL ciphers are also sorted
- (if present).
-
- One other addition: the "ciphers" program didn't check the return code
- of SSL_CTX_set_cipher_list().
- [Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE> modified by Steve Henson]
+ *) Make the ciphers, s_server and s_client programs check the return values
+ when a new cipher list is set.
+ [Steve Henson]
+
+ *) Enhance the SSL/TLS cipher mechanism to correctly handle the TLS 56bit
+ ciphers. Before when the 56bit ciphers were enabled the sorting was
+ wrong.
+
+ The syntax for the cipher sorting has been extended to support sorting by
+ cipher-strength (using the strength_bits hard coded in the tables).
+ The new command is "@STRENGTH" (see also doc/apps/ciphers.pod).
+
+ Fix a bug in the cipher-command parser: when supplying a cipher command
+ string with an "undefined" symbol (neither command nor alphanumeric
+ [A-Za-z0-9], ssl_set_cipher_list used to hang in an endless loop. Now
+ an error is flagged.
+
+ Due to the strength-sorting extension, the code of the
+ ssl_create_cipher_list() function was completely rearranged. I hope that
+ the readability was also increased :-)
+ [Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>]
*) Minor change to 'x509' utility. The -CAcreateserial option now uses 1
for the first serial number and places 2 in the serial number file. This
}
SSLeay_add_ssl_algorithms();
+ SSL_load_error_strings();
ctx=SSL_CTX_new(meth);
if (ctx == NULL)
{
if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback);
if (cipher != NULL)
- SSL_CTX_set_cipher_list(ctx,cipher);
+ if(!SSL_CTX_set_cipher_list(ctx,cipher)) {
+ BIO_printf(bio_err,"error seting cipher list\n");
+ ERR_print_errors(bio_err);
+ goto end;
+ }
#if 0
else
SSL_CTX_set_cipher_list(ctx,getenv("SSL_CIPHER"));
/* goto end; */
}
- SSL_load_error_strings();
con=(SSL *)SSL_new(ctx);
/* SSL_set_cipher_list(con,"RC4-MD5"); */
#endif
if (cipher != NULL)
- SSL_CTX_set_cipher_list(ctx,cipher);
+ if(!SSL_CTX_set_cipher_list(ctx,cipher)) {
+ BIO_printf(bio_err,"error seting cipher list\n");
+ ERR_print_errors(bio_err);
+ goto end;
+ }
SSL_CTX_set_verify(ctx,s_server_verify,verify_callback);
SSL_CTX_set_session_id_context(ctx,(void*)&s_server_session_id_context,
sizeof s_server_session_id_context);
=item B<-cipher cipherlist>
-this allows the cipher list sent by the client to be modified. See the
-B<ciphers> command for more information.
+this allows the cipher list sent by the client to be modified. Although
+the server determines which cipher suite is used it should take the first
+supported cipher in the list sent by the client. See the B<ciphers>
+command for more information.
=back
=item B<-cipher cipherlist>
-this allows the cipher list sent by the client to be modified. See the
-B<ciphers> command for more information.
+this allows the cipher list used by the server to be modified. When
+the client sends a list of supported ciphers the first client cipher
+also included in the server list is used. Because the client specifies
+the preference order, the order of the server cipherlist irrelevant. See
+the B<ciphers> command for more information.
=item B<-www>