I am developing a secure HTTP web proxy server using
OpenSSL 0.9.6d. It supports SSL/TLS on both client
and server sides. I have already implemented the
basic secure connection and authentication functions
using examples found in OpenSSL books.
I am not a security expert, and my customer is asking
the following questions:
1) What is the key-length of the symmetric and
assymetric encryption for the TLS1.0 and SSL3.0
protocols? It should be the following:
"TLS 1.0 as described in [RFC2246] must support 128bit
and 1024 key length for symmetric and asymmetric
"SSL3.0 as described in [SSL] must support 128bit and
1024 key length for symmetric and asymmetric
2) Is this key-length directly related to the
algorithms used (RC4, 3DES, AES)?
3) What is passed in its CLIENT_HELLO message during
the SSL-handshake: the different supported
algorithms, the different key-lengths, ...
For question #1, I would expect that OpenSSL indeed
supports the requirements in RFC2246.
Question #2 is probably "yes" as well.
For #3, my code is not modifying the cipher suites in
the SSL context, so the answer might be whatever
"openssl ciphers" prints out: