<div dir="ltr">Yes, they should be removed as they are merely attempts to mirror constants found in ssl.h that ended up not being used for this patch.</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Sat, Feb 1, 2014 at 11:57 AM, Anton Vodonosov <span dir="ltr"><<a href="mailto:avodonosov@yandex.ru" target="_blank">avodonosov@yandex.ru</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Constants +SSL_CTRL_NEED_TMP_RSA+ and +SSL_CTRL_SET_TMP_RSA+<br>
introduced by this patch are not used. Should we remove it?<br>
<br>
<br>
31.01.2014, 20:17, "Kari Lentz" <<a href="mailto:kari.k.lentz@gmail.com">kari.k.lentz@gmail.com</a>>:<br>
<div class="HOEnZb"><div class="h5">> This was tested on a Hunchentoot web server running Linux 3.2.0.54-generic kernel using SBCL 1.1.0. Before the patch, a Windows NT client with only standard export ciphers would not communicate to the Hunchentoot server, where as afterward, the Hunchentoot url worked fine.<br>
> Best Regards,<br>
><br>
> Kari Lentz<br>
><br>
> On Fri, Jan 31, 2014 at 10:43 AM, Anton Vodonosov <<a href="mailto:avodonosov@yandex.ru">avodonosov@yandex.ru</a>> wrote:<br>
>> Hi, thanks for the patch.<br>
>><br>
>> Have you tested it? On what lisp/OS ?<br>
>><br>
>> 31.01.2014, 19:19, "Kari Lentz" <<a href="mailto:kari.k.lentz@gmail.com">kari.k.lentz@gmail.com</a>>:<br>
>>> Please find attached a patch supports enables CL+SSL to support ciphers that require a temporary/ephemeral RSA key. To quote the OpenSSL documentation:<br>
>>> "When using a cipher with RSA authentication, an ephemeral RSA key exchange can take place. In this case the session data are negotiated using the ephemeral/temporary RSA key and the RSA key supplied and certified by the certificate chain is only used for signing.<br>
>>><br>
>>> Under previous export restrictions, ciphers with RSA keys shorter (512 bits) than the usual key length of 1024 bits were created. To use these ciphers with RSA keys of usual length, an ephemeral key exchange must be performed, as the normal (certified) key cannot be directly used."<br>
>>> Basically, it accomplishes this by calling the Open SSL library function, "SSL_CTX_set_tmp_rsa_callback", upon initialization with a callback function whose purpose is to generate the ephemeral RSA key key.<br>
>>><br>
>>> Best Regards,<br>
>>><br>
>>> Kari Lentz<br>
</div></div></blockquote></div><br></div>