On Mon, 24 Mar 2008, Pat Riehecky wrote:
I am trying to limit the cipher list for TLS negotiations, but I don't seem to be able to do this.....
...
TLS: could not set cipher list !ALL:HIGH:+SSLv3:+TLSv1:MEDIUM:+SSLv2:! aNULL:!NULL:+SHA:+MD5. main: TLS init def ctx failed: -1
You can test your cipher list expression by passing it to the "openssl ciphers" command:
$ openssl ciphers -v !ALL:HIGH:+SSLv3:+TLSv1:MEDIUM:+SSLv2:!aNULL:!NULL:+SHA:+MD5 Error in cipher list 16507:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:/usr/src/lib/libssl/src/ssl/ssl_lib.c:1144: $
So your cipher list disables all the ciphers. The error is in the first term: If `!' is used, then the ciphers are permanently deleted from the list. The ciphers deleted can never reappear in the list even if they are ex- plicitly stated.
So, your "!ALL" completely removes the "ALL" ciphers from the list and nothing can reinsert them after that.
Offhand, it's not clear what you're trying to accomplish with that cipher list expression, so it's not clear what the right 'fix' is.
Philip Guenther