[openssl-users] how to control the cipher list of an openssl server

Nitin Mutkawoa jmutkawoa at hackers.mu
Wed Mar 14 20:07:12 UTC 2018


Hello

I wish to add some additional information. Perhaps it's useful to you.

As Matt mentioned check out your ciphers. --> *openssl ciphers -v*
You can also grep a particular cipher for example TLS. *openssl "ciphers"
-v | grep i tls*

So basically, you might need to check if you have the right version of
openssl-libs. If you have compiled your OpenSSL from source, it will also
depends which lib you are specifying which might result out old ciphers in
that particular situation. Look out for the binary and use ldd to see which
library it is calling.

It also depends how the server is configured. Let's say its a webserver
Nginx server, you will need to add the necessary ciphers to the conf.
Since you have probably run an *nmap --script ssl-cert,ssl-enum-ciphers -p
443,465,993,995 www.example.com <http://www.example.com>, *i doubt that the
issue might be with the server configuration.

regards

Nitin J Mutkawoa

https://tunnelix.com
https://hackers.mu

Twitter: @TheTunnelix

On Tue, Mar 13, 2018 at 4:09 AM, Matt Caswell <matt at openssl.org> wrote:

>
>
> On 12/03/18 22:53, Chris Bare wrote:
> > I have a fairly basic server set up based on various examples I've seen.
> >
> > I run an nmap script I found against it and see only 16 ciphers listed,
> > none of which are supported by modern web browsers.
> > Yet when I run "openssl ciphers I get a list of 97.
> >
> > I realize some of these are old and deprecated etc, but where does the
> > default list come from?
> >
> > I tried this code to set it to use one of the more modern ciphers shown
> > in the the openssl ciphers output:
> >
> > char *ssl_cipher = "ECDHE-ECDSA-AES128-GCM-SHA256";
> > if(!SSL_CTX_set_cipher_list(jav->ctx, ssl_cipher))
> >          return (false);
> >
> > but after that the nmap script doesn't find any ciphers.
> >
> > Any suggestions?
>
> When you run "openssl ciphers" without other arguments it will give you
> the default set of ciphersuites. Not all of those will be useable by
> your server depending on other aspects of its configuration. For example
> PSK ciphersuites will only be available if you have configured a
> pre-shared-key (PSK).
>
> Most important is the type of certificate that your server is using,
> with typical types being RSA, ECDSA or DSA. It is possible to configure
> a server with more than one type of certificate - but if you've only got
> one then only ciphersuites compatible with that certificate will be used.
>
> In your example the ECDHE-ECDSA-AES128-GCM-SHA256 requires an ECDSA
> certificate to be present. If you haven't go one, and that's the only
> ciphersuite configured, then you won't be able to successfully make
> connections.
>
> Hope that helps,
>
> Matt
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180315/7b4d7aea/attachment-0001.html>


More information about the openssl-users mailing list