On Jun19, 2012, at 17:36 , Robert Haas wrote:
> On Mon, Jun 18, 2012 at 1:42 PM, Martijn van Oosterhout
> <kleptog@svana.org> wrote:
>> On Sun, Jun 17, 2012 at 12:29:53PM -0400, Tom Lane wrote:
>>> The fly in the ointment with any of these ideas is that the "configure
>>> list" is not a list of exact cipher names, as per Magnus' comment that
>>> the current default includes tests like "!aNULL". I am not sure that
>>> we know how to evaluate such conditions if we are applying an
>>> after-the-fact check on the selected cipher. Does OpenSSL expose any
>>> API for evaluating whether a selected cipher meets such a test?
>>
>> I'm not sure whether there's an API for it, but you can certainly check
>> manually with "openssl ciphers -v", for example:
>>
>> $ openssl ciphers -v 'ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP'
>> NULL-SHA SSLv3 Kx=RSA Au=RSA Enc=None Mac=SHA1
>> NULL-MD5 SSLv3 Kx=RSA Au=RSA Enc=None Mac=MD5
>>
>> ...etc...
>>
>> So unless the openssl includes the code twice there must be a way to
>> extract the list from the library.
>
> There doubtless is, but I'd being willing to wager that you won't be
> able to figure out the exact method without reading the source code
> for 'opennssl ciphers' to see how it was done there, and most likely
> you'll find that at least one of the functions they use has no man
> page. Documentation isn't their strong point.
Yes, unfortunately.
I wonder though if shouldn't restrict the allowed ciphers list to being
a simple list of supported ciphers. If our goal is to support multiple
SSL libraries transparently then surely having openssl-specific syntax
in the config file isn't exactly great anyway...
best regards,
Florian Pflug
