Supported cipher suites

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Supported cipher suites

Grace Priscilla Jero
Hi All,
Do we have the exact list of cipher suites supported by default in openssl for each of the below in 1.1.0g version of openSSL.

TLS 1.0
TLS 1.1
TLS 1.2
DTLS 1.0
DTLS 1.2

Thanks,
Grace


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Supported cipher suites

Matt Caswell-2


On 15/11/17 06:08, Grace Priscilla Jero wrote:
> Hi All,
> Do we have the exact list of cipher suites supported by default in
> openssl for each of the below in 1.1.0g version of openSSL.
>
> TLS 1.0
> TLS 1.1
> TLS 1.2
> DTLS 1.0
> DTLS 1.2

You can use the command line "ciphers" command for this information, i.e.

$ openssl ciphers -s -v -tls1
$ openssl ciphers -s -v -tls1_1
$ openssl ciphers -s -v -tls1_2

DTLS1.0 is the same list as for TLS1.1 and DTLS1.2 is the same as for
TLS1.2.

Matt

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Supported cipher suites

Grace Priscilla Jero
Thankyou Matt.
Some of them that we tried does not work. Is there any additional criteria for it to work.
I read about some PSK ciphers which I am not sure depends on something else.

Thanks,
Grace

On Wed, Nov 15, 2017 at 3:03 PM, Matt Caswell <[hidden email]> wrote:


On 15/11/17 06:08, Grace Priscilla Jero wrote:
> Hi All,
> Do we have the exact list of cipher suites supported by default in
> openssl for each of the below in 1.1.0g version of openSSL.
>
> TLS 1.0
> TLS 1.1
> TLS 1.2
> DTLS 1.0
> DTLS 1.2

You can use the command line "ciphers" command for this information, i.e.

$ openssl ciphers -s -v -tls1
$ openssl ciphers -s -v -tls1_1
$ openssl ciphers -s -v -tls1_2

DTLS1.0 is the same list as for TLS1.1 and DTLS1.2 is the same as for
TLS1.2.

Matt

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Supported cipher suites

Grace Priscilla Jero
Hi,
How to check the default ciphers? We are not setting any ciphers in our code.
Below is the configuration output.

CC            =gcc
CFLAG         =-Wall -O3 -pthread -m64 -DL_ENDIAN  -udp -Wa,--noexecstack
SHARED_CFLAG  =-fPIC -DOPENSSL_USE_NODELETE
DEFINES       =DSO_DLFCN HAVE_DLFCN_H NDEBUG OPENSSL_THREADS OPENSSL_NO_STATIC_ENGINE OPENSSL_PIC OPENSSL_IA32_SSE2 OPENSSL_BN_ASM_MONT OPENSSL_BN_ASM_MONT5 OPENSSL_BN_ASM_GF2m SHA1_ASM SHA256_ASM SHA512_ASM RC4_ASM MD5_ASM AES_ASM VPAES_ASM BSAES_ASM GHASH_ASM ECP_NISTZ256_ASM PADLOCK_ASM POLY1305_ASM
LFLAG         =
PLIB_LFLAG    =
EX_LIBS       =-ldl
APPS_OBJ      =
CPUID_OBJ     =x86_64cpuid.o
UPLINK_OBJ    =
BN_ASM        =asm/x86_64-gcc.o x86_64-mont.o x86_64-mont5.o x86_64-gf2m.o rsaz_exp.o rsaz-x86_64.o rsaz-avx2.o
EC_ASM        =ecp_nistz256.o ecp_nistz256-x86_64.o
DES_ENC       =des_enc.o fcrypt_b.o
AES_ENC       =aes-x86_64.o vpaes-x86_64.o bsaes-x86_64.o aesni-x86_64.o aesni-sha1-x86_64.o aesni-sha256-x86_64.o aesni-mb-x86_64.o
BF_ENC        =bf_enc.o
CAST_ENC      =c_enc.o
RC4_ENC       =rc4-x86_64.o rc4-md5-x86_64.o
RC5_ENC       =rc5_enc.o
MD5_OBJ_ASM   =md5-x86_64.o
SHA1_OBJ_ASM  =sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o sha1-mb-x86_64.o sha256-mb-x86_64.o
RMD160_OBJ_ASM=
CMLL_ENC      =cmll-x86_64.o cmll_misc.o
MODES_OBJ     =ghash-x86_64.o aesni-gcm-x86_64.o
PADLOCK_OBJ   =e_padlock-x86_64.o
CHACHA_ENC    =chacha-x86_64.o
POLY1305_OBJ  =poly1305-x86_64.o
BLAKE2_OBJ    =
PROCESSOR     =
RANLIB        =ranlib
ARFLAGS       =
PERL          =/usr/bin/perl

Thanks,
Grace


On Wed, Nov 15, 2017 at 8:12 PM, Grace Priscilla Jero <[hidden email]> wrote:
Thankyou Matt.
Some of them that we tried does not work. Is there any additional criteria for it to work.
I read about some PSK ciphers which I am not sure depends on something else.

Thanks,
Grace

On Wed, Nov 15, 2017 at 3:03 PM, Matt Caswell <[hidden email]> wrote:


On 15/11/17 06:08, Grace Priscilla Jero wrote:
> Hi All,
> Do we have the exact list of cipher suites supported by default in
> openssl for each of the below in 1.1.0g version of openSSL.
>
> TLS 1.0
> TLS 1.1
> TLS 1.2
> DTLS 1.0
> DTLS 1.2

You can use the command line "ciphers" command for this information, i.e.

$ openssl ciphers -s -v -tls1
$ openssl ciphers -s -v -tls1_1
$ openssl ciphers -s -v -tls1_2

DTLS1.0 is the same list as for TLS1.1 and DTLS1.2 is the same as for
TLS1.2.

Matt

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Supported cipher suites

Viktor Dukhovni


> On Nov 16, 2017, at 1:51 AM, Grace Priscilla Jero <[hidden email]> wrote:
>
> How to check the default ciphers? We are not setting any ciphers in our code.

What specifically are you looking for?

The cipherlist sent to the server depends in part on which protocols
are enabled in the client, and as of OpenSSL 1.1.0 also on the "security
level" (default 1).  PSK and SRP ciphers require an application callback
to provide shared secrets and so are not used in most applications.

The "openssl ciphers" command (see the manpage) lists the ciphers that
match either the DEFAULT or some explicit cipher string.  With OpenSSL
1.1.0 you can specify a TLS protocol versions and see only the ciphers
compatible with that protocol version.

In the upcoming TLS 1.3 the ciphers are completely different from
previous versions, and configuration via cipher strings was not
implemented last I looked.  This may have changed...

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Supported cipher suites

Matt Caswell-2


On 16/11/17 07:00, Viktor Dukhovni wrote:
> In the upcoming TLS 1.3 the ciphers are completely different from
> previous versions, and configuration via cipher strings was not
> implemented last I looked.  This may have changed...

You have always been able to configure the TLSv1.3 ciphers via cipher
strings.

Matt

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Supported cipher suites

Michael Wojcik
In reply to this post by Grace Priscilla Jero
> From: openssl-users [mailto:[hidden email]] On Behalf Of Grace Priscilla Jero
> Sent: Wednesday, November 15, 2017 09:42
> To: [hidden email]
> Subject: Re: [openssl-users] Supported cipher suites

> Some of them that we tried does not work. Is there any additional criteria for it to work.
> I read about some PSK ciphers which I am not sure depends on something else.

PSK stands for "Pre-Shared Key", because the PSK suites require sharing a key before you can use them.

Trying to test suites without knowing what they are is a bad idea. Why are you trying to do that? Would you operate a machine without knowing what it does?

If you really want to test *all* the supported suites, I would suggest you first acquire an in-depth knowlege of TLS, perhaps by reading the books by Eric Rescorla and Ivan Ristic; then read through the specifications for each of the suites you want to test; study background material on the algorithms and protocols they use as necessary. Then familiarize yourself with the relevant parts of OpenSSL by reading the OpenSSL documentation and wiki. Then you'll be in a good position to try all the suites. You'll also know more about TLS than all but a handful of people, which ought to be good for your career prospects.

The downside is that it would likely take months of intense study, even for a fast learner with the requisite technical background. So perhaps a better option is not trying to test the obscure suites.

--
Michael Wojcik
Distinguished Engineer, Micro Focus


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users