开发者

Coding/configuring an OpenSSL server for maximum compatibility

开发者 https://www.devze.com 2023-04-13 00:24 出处:网络
I am coding an SSL server in C + 开发者_如何学运维OpenSSL. This is pretty straightforward, and there are lots of examples to follow.

I am coding an SSL server in C + 开发者_如何学运维OpenSSL. This is pretty straightforward, and there are lots of examples to follow.

However, I need to interoperate with a broad range of legacy clients, some of which are really old, and have a variety of bugs which prevent SSL negotiation from working. Reaching the users of these clients to have them upgrade is impractical at best.

SSL_CTX_set_options(ctx, SSL_OP_ALL);

... helps, but there are still clients that can't establish an SSL connection.

What other measures can I take to make OpenSSL as interoperable as possible?

(An example problematic client is Kermit95 on Windows -- compiled in 2003, I believe, with a libssleay.dll in the install directory. Although the Kermit95 source is free now, even the maintainer doesn't know how to build it on Windows!)


There are a number of things I know of that increase the interoperability of openSSL.

  1. Use "ALL" or maybe "ALL:EXPORT:LOW". I haven't checked if ALL really does mean ALL.
  2. There is a compile-time option to re-enable EXPORT56 ciphers in openSSL. You will have to set TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES to 1 in ssl/tls1.h. By default they are disabled
  3. Some binary distributions including RedHat's leave out any ciphers that have patent issues.
  4. The experimental ciphers are likely to require a 512 bit RSA key. See sample code here: http://www.openssl.org/docs/ssl/SSL_CTX_set_tmp_rsa_callback.html

Basic answer - compile your own openSSL!

0

精彩评论

暂无评论...
验证码 换一张
取 消