[openssl-dev] [openssl.org #3845] Feature Request: Allow specification of ciphers by raw cipher ID
Hubert Kario via RT
rt at openssl.org
Mon May 11 11:48:31 UTC 2015
On Saturday 09 May 2015 18:22:52 Benny Baumann via RT wrote:
> Hi,
>
> as the normal specification of cipher strings can be somewhat clumsy to
> use from time to time it would be nice if one could use the raw ID of a
> cipher (with all the usual operators):
>
> ALL:!0x00c012
> Allow everything except TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
>
> HIGH:-AES:+0x00c030
> Allow all HIGH secure ciphers except AES, but explicitly include
> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
"+" operator doesn't add a cipher, it moves matching ones to end of list
> AES256:-0xc030:+AES+GCM
> Allow AES256, but (soft-)exclude TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
> if it's not in the AESGCM ciphers list.
again, you're describing what would happen with
AES256:-0xc030:AES+GCM
> Additionally it would be awesome if one could simply use the names as
> they appear in the RFCs ;-)
that would make the strings longer, wouldn't it? :)
master has support for printing the IETF/IANA names, see -stdname options to
ciphers subcommand...
--
Regards,
Hubert Kario
Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150511/e23b5418/attachment.sig>
More information about the openssl-dev
mailing list