[openssl-users] was the change in when disabled ciphers are skipped intentional?

Viktor Dukhovni openssl-users at dukhovni.org
Fri Nov 23 19:40:52 UTC 2018

> On Nov 23, 2018, at 2:25 PM, Sam Roberts <vieuxtech at gmail.com> wrote:
> In 1.1.0j, if SSL_CTX_set_cipher_list() is called with "not-a-cipher"
> or "rc4", then SSL_R_NO_CIPHER_MATCH will occur.
> In 1.1.1a, set_cipher_list() suceeds, seems to return the complete
> cipher list (should it do this?) but later ssl_cipher_list_to_bytes()
> will find that ssl_cipher_disabled() is true for all the ciphers, and

When I try it with ciphers(1), I get (as expected) just the TLSv1.3
ciphers, which are configured separately from the TLSv1.2 (and below)

  $ /opt/openssl/1.1.1/bin/openssl ciphers -v not-a-cipher
  TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
  TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
  TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD

> Also, I don't understand why "not-a-cipher" matches any ciphers in
> 1.1.1, I'd expect the cipher list to be empty.

It should have the effect of disabling all SSLv3 and TLSv1.[012] ciphers,
leaving just the TLSv1.3 ciphers enabled.

Any change of behaviour you're seeing surely results from the introduction
of a separate TLSv1.3 cipherlist, but what remains to be explained is what
you mean by "seems to return the complete cipher list", is that a bug, a
documentation defect or user error?


More information about the openssl-users mailing list