[openssl-users] is there an API to list all the TLS 1.3 cipher suite names?
Vitezslav Cizek
vcizek at suse.com
Fri Jan 18 10:51:12 UTC 2019
Hi,
V Fri, 18 Jan 2019 01:33:20 +0000
"Jordan Brown" <openssl at jordan.maileater.net> napsáno:
> On 1/14/2019 4:09 AM, Matt Caswell wrote:
> > This works more "by accident". There is no ciphersuite alias called
> > "TLSv1.3", so using it as above results in no ciphersuites matched.
> > Since the TLSv1.3 ciphersuites are on by default anyway that's all
> > that you get back.
>
>
> From what you say, and based on experimentation, it seems like the
> TLSv1.3 ciphersuites are enabled even if you explicitly say to
> disable them.
>
> $ openssl ciphers SHA384:\!TLS_AES_256_GCM_SHA384
> *TLS_AES_256_GCM_SHA384*:TLS_CHACHA20_POLY1305_SHA256:[...]
>
> $ openssl ciphers AES:-SHA384
> *TLS_AES_256_GCM_SHA384*:TLS_CHACHA20_POLY1305_SHA256:[...]
>
> That doesn't seem right. Am I missing something?
Yes.
TLS 1.3 ciphers are configured differently, you need to use
the -ciphersuites option.
See https://www.openssl.org/docs/man1.1.1/man1/ciphers.html
Try
# openssl ciphers -v -ciphersuites '' SHA384
Vita
--
Vítězslav Čížek Emergency Update Team (EMU)
"Whilst you sleep, we're probably saving the universe."
More information about the openssl-users
mailing list