<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">ping?<br>
<br>
On 5/23/2023 12:00 PM, Jordan Brown wrote:<br>
</div>
<blockquote type="cite"
cite="mid:0101018849fbb761-f363f40e-cba2-496f-ade7-9f4590c88068-000000@us-west-2.amazonses.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
Our application has a user interface that shows you all of the
available ciphers, and lets you select and deselect individual
ciphers. (It does *not* allow for pattern matching.)<br>
<br>
We're working on supporting TLS 1.3. In OpenSSL, that introduces
new functions SSL_set_ciphersuites() and
SSL_CTX_set_ciphersuites(). We're trying to understand how that
relates to the previous functions SSL_set_cipher_list() and
SSL_CTX_set_cipher_list(). It would be *nice* to be able to treat
all cipher selection for all versions the same.<br>
<br>
Experimentally, based on the behavior of "openssl ciphers" and its
-ciphersuites, it appears that the new function accepts all cipher
names, as long as you use the IANA TLS_* form of the name. Source
inspection suggests that -ciphersuites is implemented directly
atop SSL_CTX_set_ciphersuites().<br>
<p>It *appears* that the behavior is that the explicit list of
IANA-named ciphers supplied with the "set_ciphersuites"
functions is unioned with the pattern-matched list of older
ciphers supplied through the old functions.<br>
</p>
Consider that I appear to be able to select an old cipher using
the new option (and thus the new function):<br>
<blockquote>
<pre>$ openssl ciphers -ciphersuites TLS_RSA_WITH_AES_256_CBC_SHA \!ALL
AES256-SHA
</pre>
</blockquote>
Is this an intended feature?<br>
<pre class="moz-signature" cols="72">--
Jordan Brown, Oracle</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Jordan Brown, Oracle</pre>
</body>
</html>