Relationship between TLS 1.3 ciphers and earlier ciphers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Our application has a user interface that shows you all of the available ciphers, and lets you select and deselect individual ciphers.  (It does *not* allow for pattern matching.)

We're working on supporting TLS 1.3.  In OpenSSL, that introduces new functions SSL_set_ciphersuites() and SSL_CTX_set_ciphersuites().  We're trying to understand how that relates to the previous functions SSL_set_cipher_list() and SSL_CTX_set_cipher_list().  It would be *nice* to be able to treat all cipher selection for all versions the same.

Experimentally, based on the behavior of "openssl ciphers" and its -ciphersuites, it appears that the new function accepts all cipher names, as long as you use the IANA TLS_* form of the name.  Source inspection suggests that -ciphersuites is implemented directly atop SSL_CTX_set_ciphersuites().

It *appears* that the behavior is that the explicit list of IANA-named ciphers supplied with the "set_ciphersuites" functions is unioned with the pattern-matched list of older ciphers supplied through the old functions.

Consider that I appear to be able to select an old cipher using the new option (and thus the new function):
$ openssl ciphers -ciphersuites TLS_RSA_WITH_AES_256_CBC_SHA \!ALL
AES256-SHA
Is this an intended feature?
-- 
Jordan Brown, Oracle
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux