Relationship between TLS 1.3 ciphers and earlier ciphers

Jordan Brown openssl at jordan.maileater.net
Thu May 25 18:03:42 UTC 2023


ping?

On 5/23/2023 12:00 PM, Jordan Brown wrote:
> Our application has a user interface that shows you all of the
> available ciphers, and lets you select and deselect individual
> ciphers.  (It does *not* allow for pattern matching.)
>
> We're working on supporting TLS 1.3.  In OpenSSL, that introduces new
> functions SSL_set_ciphersuites() and SSL_CTX_set_ciphersuites(). 
> We're trying to understand how that relates to the previous functions
> SSL_set_cipher_list() and SSL_CTX_set_cipher_list().  It would be
> *nice* to be able to treat all cipher selection for all versions the same.
>
> Experimentally, based on the behavior of "openssl ciphers" and its
> -ciphersuites, it appears that the new function accepts all cipher
> names, as long as you use the IANA TLS_* form of the name.  Source
> inspection suggests that -ciphersuites is implemented directly atop
> SSL_CTX_set_ciphersuites().
>
> It *appears* that the behavior is that the explicit list of IANA-named
> ciphers supplied with the "set_ciphersuites" functions is unioned with
> the pattern-matched list of older ciphers supplied through the old
> functions.
>
> Consider that I appear to be able to select an old cipher using the
> new option (and thus the new function):
>
>     $ openssl ciphers -ciphersuites TLS_RSA_WITH_AES_256_CBC_SHA \!ALL
>     AES256-SHA
>
> Is this an intended feature?
> -- 
> Jordan Brown, Oracle

-- 
Jordan Brown, Oracle
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230525/c2806e7c/attachment.htm>


More information about the openssl-users mailing list