[openssl-users] Getting the current key exchange algorithm mode from an SSL_CIPHER
Viktor Dukhovni
openssl-users at dukhovni.org
Wed Jan 20 19:23:53 UTC 2016
> On Jan 20, 2016, at 1:13 PM, Eric Erhardt <Eric.Erhardt at microsoft.com> wrote:
>
> What is the most appropriate way to programmatically get the following information about an SSL_CIPHER?
>
> Currently, we need to read:
>
> · Which cipher algorithm is being used
> · Which key exchange algorithm is being used
> · Which MAC hash algorithm is being used
>
> The way we’ve currently been doing this is by looking at the SSL_CIPHER’s algorithm_enc, algorithm_mkey, and algorithm_mac fields. But since there is no public header that contains the enum values, we’ve copied the values out of ssl/ssl_locl.h into our own code.
>
> This is problematic, since these values have recently changed withhttps://github.com/openssl/openssl/commit/bc71f91064a3eec10310fa4cc14fe2a3fd9bc7bb
>
> For example:
> -# define SSL_kDHE 0x00000008U
> +# define SSL_kDHE 0x00000002U
>
>
> One option we’ve discussed is to compare strings returned from SSL_CIPHER_get_name, or SSL_CIPHER_description, but this seems less than ideal.
>
> Is there a better way to programmatically get this information?
At present, you can get:
SSL_CIPHER_get_cipher_nid()
SSL_CIPHER_get_digest_nid()
SSL_CIPHER_get_id()
The last of these returns 0x0300NNMM with {NN,MM} found at the IANA
registry
http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4
There are at present no stable nids for the key exchange, so it may be
best to apply your own mappings.
Another option is to create an SSL handle with the given cipher name as the first
cipher-list element and "!kDHE", "!kECDHE", "!kRSA", ... as the second and
last. Whichever of these fails with an empty cipherlist was the actual
key exchange method.
--
Viktor.
More information about the openssl-users
mailing list