On Wed, Feb 08, 2006 at 12:53:26PM -0700, Kyle Hamilton wrote:

> Check the documentation for the various levels to see what each cipher

> falls into. Specifically, "LOW" is any 40 or 56-bit cipher, and 768

> bytes or below RSA key. MEDIUM is any 128 bit cipher (except AES) and

> 1024 bits or more of RSA key. HIGH is any 256-bit cipher, any AES

> cipher, and 2048+ bits of RSA key. That's the general breakdown, as

> far as I recall (from earlier discussions on this list).

>

I am looking for supported API interfaces, not internal structure

details. I am asking how to check whether the current cipher is a member

of the cipher list for a given cipher rule string that the administrator

may specify as indicating a "secure-channel" encryption level.

$ openssl ciphers -v 'HIGH:MEDIUM:!ADH:!SSLv2:@STRENGTH'

DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1

DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1

AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1

EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1

EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1

DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1

DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1

DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1

AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1

DHE-DSS-RC4-SHA SSLv3 Kx=DH Au=DSS Enc=RC4(128) Mac=SHA1

KRB5-RC4-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(128) Mac=MD5

KRB5-RC4-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(128) Mac=SHA1

RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1

RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5

KRB5-DES-CBC3-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=3DES(168) Mac=MD5

KRB5-DES-CBC3-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=3DES(168) Mac=SHA1

Nothing here about RSA key lengths, just symmetic key sizes. Presumably

the asymmetric ciphers have appropriate minimum key lengths when used

with strong symmetric ciphers, but in any case, the question is how

to query for cipher list membership.

Some of the relevant functions are and

SSL_set_cipher_list()

SSL_get_cipher_list()

it looks like I could construct a dummy "SSL", apply the cipher spec

to it (rather than the SSL associated with the actual session, since

it is not clear what the consequences of changing its cipher list may

be), then look for the current cipher on the list.

Is there a better way? Is this a sensible interface, or would I be

better off just asking the administrator for a bit strength. I

would like an answer from someone is prepared to go beyond the

documentation. I have read it, and read much of the relevant code

also.

--

Viktor.

______________________________________________________________________

OpenSSL Project

http://www.openssl.orgUser Support Mailing List

[hidden email]
Automated List Manager

[hidden email]