[openssl-users] is there an API to list all the TLS 1.3 cipher suite names?

Viktor Dukhovni openssl-users at dukhovni.org
Wed Jan 9 04:21:59 UTC 2019

On Wed, Jan 09, 2019 at 04:16:05AM +0000, Jordan Brown wrote:

> > You could just provide a free-form emergency string parameter that
> > users are advised to not change unless some major advance makes it
> > necessary. At that time, advice can be published as to what the
> > override setting should be.
> That doesn't sound like a 21st century user interface.

How do you plan to offer a built-in menu of algorithms that have
not yet been added to OpenSSL?  And if users are better off leaving
the list alone, why encourage that with a fancy UI?

> However, as I think about it, I remember that we already need a
> softcoded list of algorithms, to avoid offering (e.g.) the PSK
> algorithms.

In TLS 1.3, the handshake parameters are configured separately from
the cipherlist.  The use of (non-resumption) PSKs requires callbacks,
so they're never enabled out of the box.

> It sounds like TLS 1.3 will need the same.

Actually, it won't, nor did earlier versions, the ciphers were
listed by "openssl ciphers -v", but they can't get activated without
application support.


More information about the openssl-users mailing list