On 10/04/2019 22:06, Richard Moore wrote: > They also don't appear if you explicitly try to list 'All' which is what I found > surprising. "ALL" is a TLSv1.2 cipherstring and has no impact on the TLSv1.3 ciphersuite selection. The two sets of ciphersuites are configured separately. On 11/04/2019 00:06, Michael Richardson wrote: > I think that those are the ones that constrained devices prefer, > such as ECDHE-ECDSA-AES128-CCM8? > So is there a way to validate that they are available, that there were > compiled in? You can get "openssl ciphers" to show them if you explicitly ask for them, i.e. $ openssl ciphers -v -ciphersuites "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_128_CCM_8_SHA256" | grep "TLSv1.3" TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD TLS_AES_128_CCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESCCM(128) Mac=AEAD TLS_AES_128_CCM_8_SHA256 TLSv1.3 Kx=any Au=any Enc=AESCCM8(128) Mac=AEAD Matt