The default cipher of executable 'openssl'

openssl-users@xxxxxxxxxxxx (Viktor Dukhovni) · Fri, 12 Jun 2015 06:46:52 +0000

On Thu, Jun 11, 2015 at 11:19:17PM -0700, Aaron wrote:

> Right, I am talking about s_server subcommand. You mentioned that there is
> no change in this area. However I can easily show something is change using
> s_server subcommand. I am using original OpenSSL code to build my 'openssl',
> to this change is not from me.
> 
> 1) 1.0.1l 
> ./apps/openssl s_server -ssl3 -cert certdb/ssl_server.pem -WWW -CAfile
> certdb/cafile.pem 
> Using default temp DH parameters 
> Using default temp ECDH parameters 
> ACCEPT 

With SSL 3.0, no extension support, thus no supported curves
extension, thus ideally no EDCHE support.  If ECDHE happened anyway
with earlier releases, that was a bug that is perhaps now fixed.

> 2) 1.0.2 
> ./apps/openssl s_server -ssl3 -cert certdb/ssl_server.pem -WWW -CAfile
> certdb/cafile.pem 
> Using default temp DH parameters 
> ACCEPT 
> 
> Note that, in 1.0.2, openssl doesn't print out 'Using default temp ECDH
> parameters'. 

To get ECDHE support, use TLSv1.0 or later.

-- 
	Viktor.