精通
英语
和
开源
,
擅长
开发
与
培训
,
胸怀四海
第一信赖
> From: owner-openssl-us...@openssl.org On Behalf Of Gauri Kshirsagar
> Sent: Tuesday, 03 May, 2011 05:37
> I have built an SIP test application using openssl. I am trying
> to restrict the ciphers sent by this application in Client Hello
> to those with only RSA key exchange.
> Is there a way to configure it in OpenSSL?
> I tried to compile the source code with SSL_DEFAULT_CIPHER_LIST
> set to "RSA:!aNULL:!eNULL:+RC4:@STRENGTH" in ssl.h.
我已经使用openssl构建了一个SIP测试应用程序。我在尝试
>限制此应用程序在客户端Hello中发送的密码
>仅使用RSA密钥交换的用户。
>是否可以在OpenSSL中对其进行配置?
>我尝试使用SSL_DEFAULT_CIPHER_LIST编译源代码
>在ssl.h中设置为“ RSA:!aNULL:!eNULL:+ RC4:@STRENGTH”。
> When I run openssl ciphers -v the ciphers listed are just those with
RSA,
> C:\Openssl_src\openssl-0.9.8f\openssl-0.9.8f\out32dll>openssl.exe
ciphers -v
<snip>
> but when I build the application using these new libraries
> the application still sends all the ciphers as shown below
<snip>
>当我运行openssl ciphers -v时,列出的密码就是
RSA,
> C:\ Openssl_src \ openssl-0.9.8f \ openssl-0.9.8f \ out32dll> openssl.exe
密码-v
<剪断>
>但是当我使用这些新库构建应用程序时
>应用程序仍然发送所有密码,如下所示
<剪断>
Won't be able to paste the entire source code since the SIP application
uses SipXces stack. SipStack has been built with open ssl which calls
SSL_connect as shown below 领导为SIP应用程序使用SipXces开发栈,不能粘贴整个源代码
。SipStack是用开放的ssl构建的,它可以调用SSL_connect如下所示
void OsSSLConnectionSocket::SSLInitSocket(int socket, long timeoutInSecs)
{
if (mIsConnected)
{
int err = -1;
// TODO: eventually this should allow for other SSL contexts...
mSSL = OsSharedSSL::get()->getServerConnection();
if (mSSL && (socketDescriptor > OS_INVALID_SOCKET_DESCRIPTOR))
{
SSL_set_fd (mSSL, socketDescriptor);
err = SSL_connect(mSSL);
Any pointers that you think I could verify from my end would be helpful.
!aNULL after (only) RSA is a no-op. !aNULL(仅在RSA之后)是空操作。
1. Make sure the application *runs* with your modified DLL(s).
On Unix the equivalent is explicit, but IME most Windows versions
formerly tried the executable's directory first and then PATH
but recent Windows security patches apparently changed this.
2. The default is only the default. If the application calls
SSL_[CTX_]set_cipher_list that overrides. Unless you have a
reason to make this change across your entire system (or
network) it's usually better for each application to configure
its own cipherlists than have 3 or 5 or 20 different OpenSSLs.
1.确保应用程序“ *”运行带有修改后的DLL。
在Unix上,等效项是明确的,但大多数Windows版本是IME
以前先尝试了可执行文件的目录,然后尝试了PATH
但是最近的Windows安全修补程序显然改变了这一情况。
2.默认值仅是默认值。如果应用程序调用覆盖的SSL_ [CTX_] set_cipher_list。除非你有一个
在整个系统上进行此更改的原因(或网络),通常每个应用程序最好都要配置拥有3或5或20个不同的OpenSSL的密码列表。
I could not find application explicitly calling SSL_set_cipher_list()
anywhere and it seemed to be using new libraries.
However as per your suggestion I am now setting the cipher list in the
application before SSL_connect and it sends
the desired ciphers.我找不到明确调用SSL_set_cipher_list()的应用程序任何地方,似乎都在使用新的库。
但是,根据您的建议,我现在将在SSL_connect之前设置密码列表,这样应用程序发送了所需的密码。