[openssl-users] Openssl 1.1 / TLS 1.3

Matt Caswell matt at openssl.org
Wed Feb 14 16:34:26 UTC 2018

On 14/02/18 16:27, Richard Moore wrote:
> If I run the following:
>  openssl-1.1.1pre1 ciphers -tls1_3 -v

The man page says this about the "-tls1_3" option:

"In combination with the B<-s> option, list the ciphers which would be
used if TLSv1.3 were negotiated."

So you need to add "-s". If you do that then you only get the TLSv1.3
ciphers. It's a little strange that the option is ignored if no -s is
supplied (you might think supplying -tls1_3 would automatically imply
-s). But that is the way that all the -tls* options work, so this is
nothing new in 1.1.1.


> Then I get lots of ciphers, for example AES128-SHA however the latest
> draft TLS 1.3 RFC states:
> The list of supported symmetric algorithms has been pruned of all
> algorithms that are considered legacy. Those that remain all use
> Authenticated Encryption with Associated Data (AEAD) algorithms.
> This suggests that the ciphers command isn't working as intended. Should
> I file an issue in github?
> Cheers
> Rich.

More information about the openssl-users mailing list