[openssl-users] How to increase the priority of some cipher ?

李明 mid_li at 163.com
Tue Sep 26 08:44:28 UTC 2017

just find it, 
 server respect client's cipher preference  by default,  
 it selects the suite preferred by client among the cipherlist that both the client and server support.
 so it's not enough to just increase RSA cipher priority on server side ,  
 SSL_OP_CIPHER_SERVER_PREFERENCE will make the server select the suite that itself most prefer among the cipherlist that both the client and server support.

在 2017-09-26 15:15:10,"李明" <mid_li at 163.com> 写道:

   Currently, openssl prefer (EC)DHE handshakes over plain RSA, but (EC)DHE cost much more resouces than RSA.
   In order to get higher performance , I want to  prioritize RSA related ciphers, does anyone knows how to do it.
   I have tried cipherlist "RSA:ALL:!COMPLEMENTOFDEFAULT:!eNULL" , it looks fine in openssl command line
   ./openssl ciphers -v 'RSA:ALL:!COMPLEMENTOFDEFAULT:!eNULL' 
AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1

 but, after SSL_CTX_set_cipher_list(ctx, "RSA:ALL:!COMPLEMENTOFDEFAULT:!eNULL")  in my application, it didn't work, the first choice is still ECDHE-RSA-AES256-GCM-SHA384

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170926/cc40db7d/attachment.html>

More information about the openssl-users mailing list