Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#1845 closed enhancement (fixed)

Add support if OpenSSL library has more than 100 cipher suites

Reported by: ming Owned by: bennylp
Priority: normal Milestone: release-2.4.5
Component: applications Version: trunk
Keywords: Cc:
Backport to 1.x milestone: Backported: no

Description

Add support if the underlying OpenSSL library supports more than 100 suites.

Currently, the pjproject assumes no OpenSSL library with more than 100
cipher suites exists. OpenSSL 1.0.1 in Ubuntu 14.04 has 98. However, the
amount of cipher suites raised a lot. If such a library (with more than 100 ciphers) is used, only the first 100
cipher-suites are allowed to be set manually (for example via --tls-cipher
in pjsua). If the cipher suites are not changed manually, this code is not
passed and the default cipher-suites are offered by pjsua (even if there are
more than 128).

The ticket also allows all available cipher suites by changing the filter from "ALL" to
"ALL:COMPLEMENTOFALL". The OpenSSL team disabled ciphers without encryption
(eNULL). However, those can be useful while testing. This change does not
change existing implementations, because the implementation of the method
"set_cipher_list" sets the list (implicitly) to "DEFAULT" when the condition
"ssock->param.ciphers_num == 0" is met (= no cipher-suites are set
manually). DEFAULT is without aNULL and eNULL ciphers.

Special thanks to Alexander Traud for the patch and the ticket description above.

Change History (2)

comment:1 Changed 5 years ago by ming

  • Resolution set to fixed
  • Status changed from new to closed

In 5076:

Fixed #1845: Add support if OpenSSL library has more than 100 cipher suites

comment:2 Changed 5 years ago by ming

In 5077:

Re #1845: Remove the hardcoded buffer size in one more place, to use PJ_SSL_SOCK_MAX_CIPHERS

Note: See TracTickets for help on using tickets.