cipherlist with only tlsv1.3 ciphers reports error?

PGNet Dev pgnet.dev at gmail.com
Sat Jul 20 14:35:49 UTC 2019


Hi,

On 7/20/19 7:28 AM, Viktor Dukhovni wrote:
> On Fri, Jul 19, 2019 at 10:38:19AM -0700, PGNet Dev wrote:
> 
>> I suspect I've misunderstood usage of TLSv1.3 @
>>
>>      https://www.openssl.org/blog/blog/2018/02/08/tlsv1.3/
>>
>> Checking cipherlist for just TLSv1.3 ciphers FAILs here,
>>
>> 	openssl ciphers  -stdname -s -V 'TTLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384'
>> 		Error in cipher list
> 
> This is expected.  Try:
> 
>      openssl ciphers -tls1_3 -stdname -s -V -ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256' 'aNULL'
> 


That works here,

openssl ciphers -tls1_3 -stdname -s -V -ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256' 'aNULL'
          0x13,0x02 - TLS_AES_256_GCM_SHA384 - TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
          0x13,0x03 - TLS_CHACHA20_POLY1305_SHA256 - TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD

Can you clarify WHY that's expected?

Atm, it's inclear why it's working for Michael Wojcik ... different version?  something's changed?

And, in webserver ssl_cipher configs, specifying ONLY the tls13 ciphersuites fires a config error.  Until I add a group, e.g. ECDHE, as well, to the spec.
If this^^ is 'expected', is that, then, actually an error?



More information about the openssl-users mailing list