On Friday, 18 January 2019 02:33:20 CET Jordan Brown wrote: > On 1/14/2019 4:09 AM, Matt Caswell wrote: > > This works more "by accident". There is no ciphersuite alias called > > "TLSv1.3", so using it as above results in no ciphersuites matched. > > Since the TLSv1.3 ciphersuites are on by default anyway that's all > > that you get back. > > From what you say, and based on experimentation, it seems like the > TLSv1.3 ciphersuites are enabled even if you explicitly say to disable them. > > $ openssl ciphers SHA384:\!TLS_AES_256_GCM_SHA384 > *TLS_AES_256_GCM_SHA384*:TLS_CHACHA20_POLY1305_SHA256:[...] > > $ openssl ciphers AES:-SHA384 > *TLS_AES_256_GCM_SHA384*:TLS_CHACHA20_POLY1305_SHA256:[...] > > That doesn't seem right. Am I missing something? see man 1 ciphers section "TLS v1.3 cipher suites" specifies all ciphers that are supported for TLS 1.3 while -ciphersuites is used to change which are enabled -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic
Attachment:
signature.asc
Description: This is a digitally signed message part.
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
