On Mon, Jun 18, 2012 at 1:42 PM, Martijn van Oosterhout
<kleptog@svana.org> wrote:
> On Sun, Jun 17, 2012 at 12:29:53PM -0400, Tom Lane wrote:
>> The fly in the ointment with any of these ideas is that the "configure
>> list" is not a list of exact cipher names, as per Magnus' comment that
>> the current default includes tests like "!aNULL". I am not sure that
>> we know how to evaluate such conditions if we are applying an
>> after-the-fact check on the selected cipher. Does OpenSSL expose any
>> API for evaluating whether a selected cipher meets such a test?
>
> I'm not sure whether there's an API for it, but you can certainly check
> manually with "openssl ciphers -v", for example:
>
> $ openssl ciphers -v 'ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP'
> NULL-SHA SSLv3 Kx=RSA Au=RSA Enc=None Mac=SHA1
> NULL-MD5 SSLv3 Kx=RSA Au=RSA Enc=None Mac=MD5
>
> ...etc...
>
> So unless the openssl includes the code twice there must be a way to
> extract the list from the library.
There doubtless is, but I'd being willing to wager that you won't be
able to figure out the exact method without reading the source code
for 'opennssl ciphers' to see how it was done there, and most likely
you'll find that at least one of the functions they use has no man
page. Documentation isn't their strong point.
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company