On Wed, Jun 03, 2020 at 07:05:32PM +0200, Claus Assmann wrote: > Just curious: Why is the output of > openssl ciphers MEDIUM > "empty" for 3.0.0.a2? There are no ciphers available by default that are at the MEDIUM level (which, to be honest, does not make a huge amount of sense at this point anyway -- there's not a clear spot between "good" and "bad" to bucket things into). > Error in cipher list > 00:00:00:00:error:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl/ssl_lib.c:2705: > > Using 1.1.1 lists several, and at least > TLS_AES_128_GCM_SHA256 > is also listed by > openssl-3.0.0.a2 ciphers TLS_* are TLS 1.3 ciphers, which in the parlance of openssl configuration are known as "ciphersuites" (vs. "cipher list"), and are not affected by the "cipher list" that you provide via SSL_CTX_set_cipher_list(). My $ openssl version OpenSSL 1.1.1 11 Sep 2018 only reports the TLS 1.3 ciphersuites and some SEED ciphers for an input of MEDIUM, and IIRC the SEED ciphers have been foisted off to the legacy provider and are not available by default. > Has the "classification" of ciphers changed? > I didn't see anything obvious in CHANGES. This may just be the "legacy provider" bit -- the SEED ciphers are still listed as "MEDIUM" in the code (and there are some others that are gated behind ssl-weak-ciphers). -Ben
