<div dir="ltr"><div><div><div><div><div><div><div><div>Hello<br><br></div>I wish to add some additional information. Perhaps it's useful to you.<br><br></div>As Matt mentioned check out your ciphers. --> <i>openssl ciphers -v</i><br></div>You can also grep a particular cipher for example TLS. <i>openssl "ciphers" -v | grep i tls</i><br><br></div>So basically, you might need to check if you have the right version of openssl-libs. If you have compiled your OpenSSL from source, it will also depends which lib you are specifying which might result out old ciphers in that particular situation. Look out for the binary and use ldd to see which library it is calling.<br><br></div>It also depends how the server is configured. Let's say its a webserver Nginx server, you will need to add the necessary ciphers to the conf.<br></div>Since you have probably run an <i>nmap --script ssl-cert,ssl-enum-ciphers -p 443,465,993,995 <a href="http://www.example.com" target="_blank">www.example.com</a>, </i>i doubt that the issue might be with the server configuration.<br><br></div></div><div><div>regards<br></div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div><div><div><div>Nitin J Mutkawoa<br><br></div></div></div><a href="https://tunnelix.com" target="_blank">https://tunnelix.com</a><br></div><a href="https://hackers.mu" target="_blank">https://hackers.mu</a><br><br></div>Twitter: @TheTunnelix <br></div></div></div>
<br><div class="gmail_quote">On Tue, Mar 13, 2018 at 4:09 AM, Matt Caswell <span dir="ltr"><<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class=""><br>
<br>
On 12/03/18 22:53, Chris Bare wrote:<br>
> I have a fairly basic server set up based on various examples I've seen.<br>
><br>
> I run an nmap script I found against it and see only 16 ciphers listed,<br>
> none of which are supported by modern web browsers.<br>
> Yet when I run "openssl ciphers I get a list of 97.<br>
><br>
> I realize some of these are old and deprecated etc, but where does the<br>
> default list come from?<br>
><br>
> I tried this code to set it to use one of the more modern ciphers shown<br>
> in the the openssl ciphers output:<br>
><br>
> char *ssl_cipher = "ECDHE-ECDSA-AES128-GCM-<wbr>SHA256";<br>
> if(!SSL_CTX_set_cipher_list(<wbr>jav->ctx, ssl_cipher))<br>
> return (false);<br>
><br>
> but after that the nmap script doesn't find any ciphers.<br>
><br>
> Any suggestions?<br>
<br>
</span>When you run "openssl ciphers" without other arguments it will give you<br>
the default set of ciphersuites. Not all of those will be useable by<br>
your server depending on other aspects of its configuration. For example<br>
PSK ciphersuites will only be available if you have configured a<br>
pre-shared-key (PSK).<br>
<br>
Most important is the type of certificate that your server is using,<br>
with typical types being RSA, ECDSA or DSA. It is possible to configure<br>
a server with more than one type of certificate - but if you've only got<br>
one then only ciphersuites compatible with that certificate will be used.<br>
<br>
In your example the ECDHE-ECDSA-AES128-GCM-SHA256 requires an ECDSA<br>
certificate to be present. If you haven't go one, and that's the only<br>
ciphersuite configured, then you won't be able to successfully make<br>
connections.<br>
<br>
Hope that helps,<br>
<br>
Matt<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
openssl-users mailing list<br>
To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank">https://mta.openssl.org/<wbr>mailman/listinfo/openssl-users</a><br>
</font></span></blockquote></div><br></div></div>