openssl-fips configure parameters to force IANA cipher suite compliance

Larry Jordan lj at acronisscs.com
Tue Jul 2 20:13:23 UTC 2019


I want to build an openssl-fips canister to force IANA cipher suite compliance.

With the help of an openssl-iana mapping (https://testssl.sh/openssl-iana.mapping.html) I can identify the corresponding OpenSSL cipher suites.

IANA                                                                                                                                                                     OpenSSL
TLS_RSA_WITH_AES_128_CBC_SHA as defined in RFC 5246                                                           [0x2f] AES128-SHA
TLS_RSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5246                                                    [0x3c] AES128-SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256 as defined in RFC 5246                                                    [0x3d] AES256-SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384 as defined in RFC 5288                                                  [0x9d] AES256-GCM-SHA384

TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5246                                         [0x67] DHE-RSA-AES128-SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 as defined in RFC 5246                                         [0x6b] DHE-RSA-AES256-SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 as defined in RFC 5288                                       [0x9f] DHE-RSA-AES256-GCM-SHA384

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5289                               [0xc023] ECDHE-ECDSA-AES128-SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 as defined in RFC 5289                             [0xc02b] ECDHE-ECDSA-AES128-GCM-SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 as defined in RFC 5289                               [0xc024] ECDHE-ECDSA-AES256-SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 as defined in RFC 5289                             [0xc02c] ECDHE-ECDSA-AES256-GCM-SHA384

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5289                                    [0xc027] ECDHE-RSA-AES128-SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 as defined in RFC 5289                                  [0xc02f] ECDHE-RSA-AES128-GCM-SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 as defined in RFC 5289                                    [0xc028] ECDHE-RSA-AES256-SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 as defined in RFC 5289                                  [0xc030] ECDHE-RSA-AES256-GCM-SHA384

How would I configure openssl-fips to force this precise compliance, eliminating all other cipher suites?

Thank you.

--Larry
C++ Developer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190702/05b589fa/attachment-0001.html>


More information about the openssl-users mailing list