how to control the cipher list of an openssl server

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

how to control the cipher list of an openssl server

Chris Bare-2
I have a fairly basic server set up based on various examples I've seen.

I run an nmap script I found against it and see only 16 ciphers listed, none of which are supported by modern web browsers.
Yet when I run "openssl ciphers I get a list of 97.

I realize some of these are old and deprecated etc, but where does the default list come from?

I tried this code to set it to use one of the more modern ciphers shown in the the openssl ciphers output:

char *ssl_cipher = "ECDHE-ECDSA-AES128-GCM-SHA256"; if(!SSL_CTX_set_cipher_list(jav->ctx, ssl_cipher))
         return (false);

but after that the nmap script doesn't find any ciphers.

Any suggestions?

--
Chris Bare

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: how to control the cipher list of an openssl server

Matt Caswell-2


On 12/03/18 22:53, Chris Bare wrote:

> I have a fairly basic server set up based on various examples I've seen.
>
> I run an nmap script I found against it and see only 16 ciphers listed,
> none of which are supported by modern web browsers.
> Yet when I run "openssl ciphers I get a list of 97.
>
> I realize some of these are old and deprecated etc, but where does the
> default list come from?
>
> I tried this code to set it to use one of the more modern ciphers shown
> in the the openssl ciphers output:
>
> char *ssl_cipher = "ECDHE-ECDSA-AES128-GCM-SHA256";
> if(!SSL_CTX_set_cipher_list(jav->ctx, ssl_cipher))
>          return (false);
>
> but after that the nmap script doesn't find any ciphers.
>
> Any suggestions?

When you run "openssl ciphers" without other arguments it will give you
the default set of ciphersuites. Not all of those will be useable by
your server depending on other aspects of its configuration. For example
PSK ciphersuites will only be available if you have configured a
pre-shared-key (PSK).

Most important is the type of certificate that your server is using,
with typical types being RSA, ECDSA or DSA. It is possible to configure
a server with more than one type of certificate - but if you've only got
one then only ciphersuites compatible with that certificate will be used.

In your example the ECDHE-ECDSA-AES128-GCM-SHA256 requires an ECDSA
certificate to be present. If you haven't go one, and that's the only
ciphersuite configured, then you won't be able to successfully make
connections.

Hope that helps,

Matt

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: how to control the cipher list of an openssl server

Nitin Mutkawoa
Hello

I wish to add some additional information. Perhaps it's useful to you.

As Matt mentioned check out your ciphers. --> openssl ciphers -v
You can also grep a particular cipher for example TLS. openssl "ciphers" -v | grep i tls

So basically, you might need to check if you have the right version of openssl-libs. If you have compiled your OpenSSL from source, it will also depends which lib you are specifying which might result out old ciphers in that particular situation. Look out for the binary and use ldd to see which library it is calling.

It also depends how the server is configured. Let's say its a webserver Nginx server, you will need to add the necessary ciphers to the conf.
Since you have probably run an nmap --script ssl-cert,ssl-enum-ciphers -p 443,465,993,995 www.example.com, i doubt that the issue might be with the server configuration.

regards

Twitter: @TheTunnelix

On Tue, Mar 13, 2018 at 4:09 AM, Matt Caswell <[hidden email]> wrote:


On 12/03/18 22:53, Chris Bare wrote:
> I have a fairly basic server set up based on various examples I've seen.
>
> I run an nmap script I found against it and see only 16 ciphers listed,
> none of which are supported by modern web browsers.
> Yet when I run "openssl ciphers I get a list of 97.
>
> I realize some of these are old and deprecated etc, but where does the
> default list come from?
>
> I tried this code to set it to use one of the more modern ciphers shown
> in the the openssl ciphers output:
>
> char *ssl_cipher = "ECDHE-ECDSA-AES128-GCM-SHA256";
> if(!SSL_CTX_set_cipher_list(jav->ctx, ssl_cipher))
>          return (false);
>
> but after that the nmap script doesn't find any ciphers.
>
> Any suggestions?

When you run "openssl ciphers" without other arguments it will give you
the default set of ciphersuites. Not all of those will be useable by
your server depending on other aspects of its configuration. For example
PSK ciphersuites will only be available if you have configured a
pre-shared-key (PSK).

Most important is the type of certificate that your server is using,
with typical types being RSA, ECDSA or DSA. It is possible to configure
a server with more than one type of certificate - but if you've only got
one then only ciphersuites compatible with that certificate will be used.

In your example the ECDHE-ECDSA-AES128-GCM-SHA256 requires an ECDSA
certificate to be present. If you haven't go one, and that's the only
ciphersuite configured, then you won't be able to successfully make
connections.

Hope that helps,

Matt

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users