Re: is there an API to list all the TLS 1.3 cipher suite names?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Jan 18, 2019 at 01:33:20AM +0000, Jordan Brown wrote:
> On 1/14/2019 4:09 AM, Matt Caswell wrote:
> > This works more "by accident". There is no ciphersuite alias called
> > "TLSv1.3", so using it as above results in no ciphersuites matched.
> > Since the TLSv1.3 ciphersuites are on by default anyway that's all
> > that you get back.
> 
> 
> From what you say, and based on experimentation, it seems like the
> TLSv1.3 ciphersuites are enabled even if you explicitly say to disable them.
> 
>     $ openssl ciphers SHA384:\!TLS_AES_256_GCM_SHA384
>     *TLS_AES_256_GCM_SHA384*:TLS_CHACHA20_POLY1305_SHA256:[...]
> 
>     $ openssl ciphers AES:-SHA384
>     *TLS_AES_256_GCM_SHA384*:TLS_CHACHA20_POLY1305_SHA256:[...]
> 
> That doesn't seem right.  Am I missing something?

Presumably.  The TLS 1.3 ciphersuites are entirely separate from the traditional
cipher list:

    -ciphersuites val
        Sets the list of TLSv1.3 ciphersuites. This list will be combined with
        any TLSv1.2 and below ciphersuites that have been configured. The format
        for this list is a simple colon (":") separated list of TLSv1.3
        ciphersuite names. By default this value is:

         TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA25

-Ben
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux