[openssl-users] how to control the cipher list of an openssl server
Matt Caswell
matt at openssl.org
Tue Mar 13 00:09:54 UTC 2018
On 12/03/18 22:53, Chris Bare wrote:
> I have a fairly basic server set up based on various examples I've seen.
>
> I run an nmap script I found against it and see only 16 ciphers listed,
> none of which are supported by modern web browsers.
> Yet when I run "openssl ciphers I get a list of 97.
>
> I realize some of these are old and deprecated etc, but where does the
> default list come from?
>
> I tried this code to set it to use one of the more modern ciphers shown
> in the the openssl ciphers output:
>
> char *ssl_cipher = "ECDHE-ECDSA-AES128-GCM-SHA256";
> if(!SSL_CTX_set_cipher_list(jav->ctx, ssl_cipher))
> return (false);
>
> but after that the nmap script doesn't find any ciphers.
>
> Any suggestions?
When you run "openssl ciphers" without other arguments it will give you
the default set of ciphersuites. Not all of those will be useable by
your server depending on other aspects of its configuration. For example
PSK ciphersuites will only be available if you have configured a
pre-shared-key (PSK).
Most important is the type of certificate that your server is using,
with typical types being RSA, ECDSA or DSA. It is possible to configure
a server with more than one type of certificate - but if you've only got
one then only ciphersuites compatible with that certificate will be used.
In your example the ECDHE-ECDSA-AES128-GCM-SHA256 requires an ECDSA
certificate to be present. If you haven't go one, and that's the only
ciphersuite configured, then you won't be able to successfully make
connections.
Hope that helps,
Matt
More information about the openssl-users
mailing list