[Mono-dev] Status of SslStream and Related Classes
Sebastien Pouliot
sebastien.pouliot at gmail.com
Thu Aug 18 07:39:16 EDT 2005
Hello Martin,
On Thu, 2005-18-08 at 09:57 +0100, Martin Hinks wrote:
> I also have a quick q about the SSLStream that I thought would fit
> under this topic ;P
>
> Is the problem with unsupported ciphers due to bugs/incompleteness of
> their components - ie. ciphers using DH - are they missing because DH
> is missing etc.
Quick answer:
* This is not a "problem", it's just a ((very) optional) task no one
else has done (probably because no one need it badly enough to code/test
it).
Long answer:
* An SSL/TLS implementation doesn't have to support all possible
ciphers. This is why SSL/TLS include a negotiation step;
* The design of SslStream (just like the earlier SslClientStream and
SslServerStream) doesn't include an API to select which algorithms to
use (or not use). So the user is out of the loop for selecting the
cipher (i.e. it will be negotiated between the client and server);
* Adding ciphers to SSL is much easier than testing them (and the API
doesn't make it easier);
* People don't like when something supported doesn't work, so Mono will
add new ciphers to SSL only if we're sure they are working properly ;-)
* Mono.Security.dll supports DH (i.e. DH is present and working) so it
isn't a cryptographic issue;
* DH wasn't really helpful for HTTPS (my main interest), nor for data
access (Carlos) so we didn't implement support for it;
So it's not a problem (at least for most people). Adding DH support
shouldn't be a very complex task for anyone interested (but testing may
be a little more painful).
--
Sebastien
More information about the Mono-devel-list
mailing list