cipherlist with only tlsv1.3 ciphers reports error?
PGNet Dev
pgnet.dev at gmail.com
Sat Jul 20 14:35:49 UTC 2019
Hi,
On 7/20/19 7:28 AM, Viktor Dukhovni wrote:
> On Fri, Jul 19, 2019 at 10:38:19AM -0700, PGNet Dev wrote:
>
>> I suspect I've misunderstood usage of TLSv1.3 @
>>
>> https://www.openssl.org/blog/blog/2018/02/08/tlsv1.3/
>>
>> Checking cipherlist for just TLSv1.3 ciphers FAILs here,
>>
>> openssl ciphers -stdname -s -V 'TTLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384'
>> Error in cipher list
>
> This is expected. Try:
>
> openssl ciphers -tls1_3 -stdname -s -V -ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256' 'aNULL'
>
That works here,
openssl ciphers -tls1_3 -stdname -s -V -ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256' 'aNULL'
0x13,0x02 - TLS_AES_256_GCM_SHA384 - TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
0x13,0x03 - TLS_CHACHA20_POLY1305_SHA256 - TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD
Can you clarify WHY that's expected?
Atm, it's inclear why it's working for Michael Wojcik ... different version? something's changed?
And, in webserver ssl_cipher configs, specifying ONLY the tls13 ciphersuites fires a config error. Until I add a group, e.g. ECDHE, as well, to the spec.
If this^^ is 'expected', is that, then, actually an error?
More information about the openssl-users
mailing list