From 6d3dec92fb2df3129da5022f4277cc093ecd7b5f Mon Sep 17 00:00:00 2001 From: =?utf8?q?Lutz=20J=C3=A4nicke?= Date: Fri, 20 Jul 2001 19:23:43 +0000 Subject: [PATCH] Updated explanation. --- doc/ssl/SSL_CTX_set_cipher_list.pod | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/doc/ssl/SSL_CTX_set_cipher_list.pod b/doc/ssl/SSL_CTX_set_cipher_list.pod index 9a29eeeb95..84825fb6f5 100644 --- a/doc/ssl/SSL_CTX_set_cipher_list.pod +++ b/doc/ssl/SSL_CTX_set_cipher_list.pod @@ -34,9 +34,22 @@ a necessary condition. On the client side, the inclusion into the list is also sufficient. On the server side, additional restrictions apply. All ciphers have additional requirements. ADH ciphers don't need a certificate, but DH-parameters must have been set. All other ciphers need a corresponding -certificate and key. A RSA cipher can only be chosen, when a RSA certificate is -available, the respective is valid for DSA ciphers. Ciphers using EDH need -a certificate and key and DH-parameters. +certificate and key. + +A RSA cipher can only be chosen, when a RSA certificate is available. +RSA export ciphers with a keylength of 512 bits for the RSA key require +a temporary 512 bit RSA key, as typically the supplied key has a length +of 1024 bit. RSA ciphers using EDH need a certificate and key and +additional DH-parameters. + +A DSA cipher can only be chosen, when a DSA certificate is available. +DSA ciphers always use DH key exchange and therefore need DH-parameters. + +When these conditions are not met for any cipher in the list (e.g. a +client only supports export RSA ciphers with a asymmetric key length +of 512 bits and the server is not configured to use temporary RSA +keys), the "no shared cipher" (SSL_R_NO_SHARED_CIPHER) error is generated +and the handshake will fail. =head1 RETURN VALUES -- 2.25.1