<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 1/14/2019 4:09 AM, Matt Caswell
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:2203b9cd-2517-d08e-5e54-a82fe8118a70@openssl.org">This
works more "by accident". There is no ciphersuite alias called
"TLSv1.3", so using it as above results in no ciphersuites
matched. Since the TLSv1.3 ciphersuites are on by default anyway
that's all that you get back.</blockquote>
<p><br>
</p>
<p>From what you say, and based on experimentation, it seems like
the TLSv1.3 ciphersuites are enabled even if you explicitly say to
disable them.</p>
<blockquote>
<pre>$ openssl ciphers SHA384:\!TLS_AES_256_GCM_SHA384
<b>TLS_AES_256_GCM_SHA384</b>:TLS_CHACHA20_POLY1305_SHA256:[...]
$ openssl ciphers AES:-SHA384
<b>TLS_AES_256_GCM_SHA384</b>:TLS_CHACHA20_POLY1305_SHA256:[...]
</pre>
</blockquote>
<p>That doesn't seem right. Am I missing something?</p>
<pre class="moz-signature" cols="72">--
Jordan Brown, Oracle ZFS Storage Appliance, Oracle Solaris</pre>
</body>
</html>