I am coding an SSL server in C + 开发者_如何学运维OpenSSL. This is pretty straightforward, and there are lots of examples to follow.
However, I need to interoperate with a broad range of legacy clients, some of which are really old, and have a variety of bugs which prevent SSL negotiation from working. Reaching the users of these clients to have them upgrade is impractical at best.
SSL_CTX_set_options(ctx, SSL_OP_ALL);
... helps, but there are still clients that can't establish an SSL connection.
What other measures can I take to make OpenSSL as interoperable as possible?
(An example problematic client is Kermit95 on Windows -- compiled in 2003, I believe, with a libssleay.dll in the install directory. Although the Kermit95 source is free now, even the maintainer doesn't know how to build it on Windows!)
There are a number of things I know of that increase the interoperability of openSSL.
- Use "ALL" or maybe "ALL:EXPORT:LOW". I haven't checked if ALL really does mean ALL.
- There is a compile-time option to re-enable EXPORT56 ciphers in openSSL. You will have to set TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES to 1 in ssl/tls1.h. By default they are disabled
- Some binary distributions including RedHat's leave out any ciphers that have patent issues.
- The experimental ciphers are likely to require a 512 bit RSA key. See sample code here: http://www.openssl.org/docs/ssl/SSL_CTX_set_tmp_rsa_callback.html
Basic answer - compile your own openSSL!
精彩评论