[issue32813] SSL shared_ciphers implementation wrong - returns configured but not shared ciphers

[Steffen Ullrich]

Steffen Ullrich <noxxinoxxi at gmail.com> added the comment:

Actually, it looks like that neither SSL_get_shared ciphers nor SSL_get_client_ciphers nor accessing ssl->session->ciphers nor SSL_get_ciphers return the **shared** ciphers. The first three seem to return the ciphers offered by the client and the last one returns the ciphers set for the server. 

It looks like even the OpenSSL developers do not really know what they are doing. The same contents of ssl->session->ciphers is made available through the functions SSL_get_shared_ciphers and SSL_get_client_ciphers which based on the names should return different information. And, the ciphers member of the ssl_session_st structure is documented in for the newest and even the oldest versions (i.e. like 0.9.8) as:

   STACK_OF(SSL_CIPHER) *ciphers; /* shared ciphers? */

In other words: the developers are not sure themselves if this contains the shared ciphers or not (and it does not, at least in OpenSSL 1.0.2 and OpenSSL 1.1.0).

In other words:  I doubt that there is a documented way to get the actually shared ciphers. One need probably to reimplement parts of  the internal ssl3_choose_cipher function since this is the place where cipher_list and session->ciphers gets combined with various other restrictions (i.e. like type of certificate) to get the shared and thus the final cipher.

----------

_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue32813>
_______________________________________