-
-
Notifications
You must be signed in to change notification settings - Fork 204
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support cipher suite selection #4
Comments
We'll also probably want to disable unauthenticated and anonymous suites entirely. |
I'm interested in this. I took a stab at the I don't think my change is necessarily production ready yet, as it's not necessarily maintainable in its current state. In my change, the questions I still have are:
|
OpenSSL's the most flexible here, and SChannel is the least. The cross-platform solution will probably look something like an SChannel style enum of algorithms that will be unioned:
If you then call
would mean all ciphers that use RSA or DHE for key exchange, AES as a bulk cipher, and SHA256 as a hash algorithm would be enabled. That'd translate in SChannel to
and in OpenSSL to (note that we have to generate the cartesian product of key exchange, bulk cipher and hash algorithms)
and in Secure Transport to a somewhat complicated dance where we load supported ciphers and filter them through the provided algorithms:
One interesting question is what to do if no algorithm in a category is specified (e.g. just
&[Algorithm::Aes, Algorithm::Dhe]
is passed). Should that mean that no suites match and no connections will work, or that all algorithms of that type can be used?An alternative design would be to have separate enums for each algorithm type:
It would be a bit more clear, but more verbose as well.
The text was updated successfully, but these errors were encountered: