[openssl-dev] [openssl.org #3845] Feature Request: Allow specification of ciphers by raw cipher ID
Benny Baumann via RT
rt at openssl.org
Tue May 12 07:17:46 UTC 2015
Hi,
Am 11.05.2015 um 13:48 schrieb Hubert Kario via RT:
> On Saturday 09 May 2015 18:22:52 Benny Baumann via RT wrote:
>> Hi,
>>
>> as the normal specification of cipher strings can be somewhat clumsy to
>> use from time to time it would be nice if one could use the raw ID of a
>> cipher (with all the usual operators):
>>
>> ALL:!0x00c012
>> Allow everything except TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
>>
>> HIGH:-AES:+0x00c030
>> Allow all HIGH secure ciphers except AES, but explicitly include
>> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
>
> "+" operator doesn't add a cipher, it moves matching ones to end of list
>
This explains why GnuTLS and OpenSSL prodeuce vastly different results
here ;-) Good to know. Wouldn't have ">" been a better choice than? ;-)
>> AES256:-0xc030:+AES+GCM
>> Allow AES256, but (soft-)exclude TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
>> if it's not in the AESGCM ciphers list.
>
> again, you're describing what would happen with
> AES256:-0xc030:AES+GCM
>
>> Additionally it would be awesome if one could simply use the names as
>> they appear in the RFCs ;-)
>
> that would make the strings longer, wouldn't it? :)
>
Yes, but much more easily to compare with the RFCs which ciphers are to
be selected. It's not as if you are writing such strings all the time.
> master has support for printing the IETF/IANA names, see -stdname options to
> ciphers subcommand...
>
Why would -stdname include -verbose?
Does this work in reverse yet?
Regards,
BenBE.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5449 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150512/40349ab6/attachment.bin>
More information about the openssl-dev
mailing list