Re: svn commit: r597209 - in /apr/apr-util/trunk: CHANGES build/ssl.m4 include/apr_buckets.h include/apr_ssl.h include/private/apr_ssl_openssl_private.h ssl/apr_ssl_openssl.c ssl/apr_ssl_winsock.c

[Tollef Fog Heen <tf...@err.no>]

* "Graham Leggett" 

| I could not find an OpenSSL function that would provide a canonical list
| of supported ciphers (that is not to say such a funtion definitely does
| not exist).

«ltrace openssl ciphers» seem to show it calling SSL_get_cipher_list
multiple times, so maybe that's a useful starting point?

-- 
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are

Re: svn commit: r597209 - in /apr/apr-util/trunk: CHANGES build/ssl.m4 include/apr_buckets.h include/apr_ssl.h include/private/apr_ssl_openssl_private.h ssl/apr_ssl_openssl.c ssl/apr_ssl_winsock.c

[Graham Leggett <mi...@sharp.fm>]

Tollef Fog Heen wrote:

> | I could not find an OpenSSL function that would provide a canonical list
> | of supported ciphers (that is not to say such a funtion definitely does
> | not exist).
> 
> «ltrace openssl ciphers» seem to show it calling SSL_get_cipher_list
> multiple times, so maybe that's a useful starting point?

Will have to look, I suspect this may be a different cipher list to that 
required by EVP, the SSL cipher list is significantly more involved. As 
Joe points out, using the SSL* library to initialise the EVP library is 
lame, but there are constraints that OpenSSL limits you to. For example, 
you can set the certificates you want to use using 
SSL_CTX_use_certificate (IIRC), but there is no corresponding getter 
function to retrieve the certificate again. The only way around it that 
I have yet found is to create an SSL* context, and use the getters from 
that to retrieve the cert. This is not ideal, but it does behave the 
same way as apr_ssl_* and friends, which follows the principle of least 
astonishment.

Regards,
Graham
--