book cover

OpenSSL Cookbook  3rd Edition

The definitive guide to using the OpenSSL command line for configuration and testing. Topics covered in this book include key and certificate management, server configuration, a step by step guide to creating a private CA, and testing of online services. Written by Ivan Ristić.

1.3.7 Legacy Suite Configuration

In this section, I’ll briefly cover the legacy keyword-based configuration of cipher suites that applies to TLS 1.2 and earlier protocol versions. This section is important largely only if you’re interested in how the keyword approach works. Otherwise, you’re better off simply specifying the suites you wish to use, as I did with the recommended configuration in the previous section.

1.3.7.1 Keywords

Cipher suite keywords are the basic building blocks of cipher suite configuration. Each suite name (e.g., RC4-SHA) is a keyword that selects exactly one suite.1 All other keywords select groups of suites according to some criteria. Keyword names are case-sensitive. In this section, I will provide an overview of all cipher suite keywords supported by OpenSSL, one group at a time.

Group keywords are shortcuts that select frequently used cipher suites. For example, HIGH will select only very strong cipher suites.

Table  1.3.7.1.1 Group keywords
Keyword Meaning
DEFAULT The default cipher list. This is determined at compile time and must be the first cipher string specified.
COMPLEMENTOFDEFAULT The ciphers included in ALL, but not enabled by default. Note that this rule does not cover eNULL, which is not included by ALL (use COMPLEMENTOFALL if necessary).
ALL All cipher suites except the eNULL ciphers, which must be explicitly enabled.
COMPLEMENTOFALL The cipher suites not enabled by ALL, currently eNULL.
HIGH “High”-encryption cipher suites. This currently means those with key lengths larger than 128 bits, and some cipher suites with 128-bit keys.
MEDIUM “Medium”-encryption cipher suites, currently some of those using 128-bit encryption.
LOW “Low”-encryption cipher suites, currently those using 64- or 56-bit encryption algorithms, but excluding export cipher suites. No longer supported. Insecure.
EXP, EXPORT Export encryption algorithms. Including 40- and 56-bit algorithms. No longer supported. Insecure.
EXPORT40 40-bit export encryption algorithms. No longer supported. Insecure.
EXPORT56 56-bit export encryption algorithms. No longer supported. Insecure.
TLSv1.2, TLSv1.0, TLSv1, SSLv3, SSLv2 Cipher suites that require the specified protocol version. There are two keywords for TLS 1.0 and no keywords for TLS 1.3 and TLS 1.1. These keywords do not affect protocol configuration, just the suites.

Digest keywords select suites that use a particular digest algorithm. For example, SHA256 selects all suites that rely on SHA256 for integrity validation.

Table  1.3.7.1.2 Digest algorithm keywords
Keyword Meaning
MD5 Cipher suites using MD5. Obsolete and insecure.
SHA, SHA1 Cipher suites using SHA1.
SHA256 Cipher suites using SHA256.
SHA384 Cipher suites using SHA384.
🛈︎
Note

The digest algorithm keywords select only suites that validate data integrity at the protocol level. TLS 1.2 introduced support for authenticated encryption, which is a mechanism that bundles encryption with integrity validation. When the so-called AEAD (authenticated encryption with associated Data) suites are used, the protocol doesn’t need to provide additional integrity verification. For this reason, you won’t be able to use the digest algorithm keywords to select AEAD suites (currently, those that have GCM in the name). The names of these suites do use SHA256 and SHA384 suffixes, but (confusing as it may be) here they refer to the hash functions used to build the pseudorandom function used with the suite.

Authentication keywords select suites based on the authentication method they use. Today, the RSA public key algorithm is still used by the majority of certificates, with ECDSA quickly catching up.

Table  1.3.7.1.3 Authentication keywords
Keyword Meaning
aDH Cipher suites effectively using DH authentication, i.e., the certificates carry DH keys. Removed in 1.1.0.
aDSS, DSS Cipher suites using DSS authentication, i.e., the certificates carry DSS keys.
aECDH Cipher suites that use ECDH authentication. Removed in 1.1.0.
aECDSA, ECDSA Cipher suites that use ECDSA authentication.
aNULL Cipher suites offering no authentication. This is currently the anonymous DH algorithms. Insecure.
aRSA Cipher suites using RSA authentication, i.e., the certificates carry RSA keys.
aPSK Cipher suites using PSK (Pre-Shared Key) authentication.
aSRP Cipher suites using SRP (Secure Remote Password) authentication.

Key exchange keywords select suites based on the key exchange algorithm. When it comes to ephemeral Diffie-Hellman suites, OpenSSL is inconsistent in naming the suites and the keywords. In the suite names, ephemeral suites tend to have an E at the end of the key exchange algorithm (e.g., ECDHE-RSA-RC4-SHA and DHE-RSA-AES256-SHA), but in the keywords the E is at the beginning (e.g., EECDH and EDH). The preferred names today are DHE and ECDHE; the other keywords are supported for backward compatibility.

Table  1.3.7.1.4 Key exchange keywords
Keyword Meaning
ADH Anonymous DH cipher suites. Insecure.
AECDH Anonymous ECDH cipher suites. Insecure.
DHE, EDH Cipher suites using ephemeral DH key agreement only.
ECDHE, EECDH Cipher suites using ephemeral ECDH.
kDHE, kEDH, DH Cipher suites using ephemeral DH key agreement (includes anonymous DH).
kECDHE, kEECDH, ECDH Cipher suites using ephemeral ECDH key agreement (includes anonymous ECDH).
kRSA, RSA Cipher suites using RSA key exchange.
kPSK, kECDHEPSK, kDHEPSK, kRSAPSK Cipher suites using PSK key exchange.

Cipher keywords select suites based on the cipher they use.

Table  1.3.7.1.5 Cipher keywords
Keyword Meaning
AES, AESCCM, AESCCM8, AESGCM Cipher suites using AES, AES CCM, and AES GCM.
ARIA, ARIA128, ARIA256 Cipher suites using ARIA.
CAMELLIA, CAMELLIA128, CAMELLIA256 Cipher suites using Camellia. Obsolete.
CHACHA20 Cipher suites using ChaCha20.
eNULL, NULL Cipher suites that don’t use encryption. Insecure.
IDEA Cipher suites using IDEA. Obsolete.
SEED Cipher suites using SEED. Obsolete.
3DES, DES, IDEA, RC2, RC4 No longer supported by default. Obsolete and insecure.

What remains is a number of suites that do not fit into any other category. The bulk of them are related to the GOST standards, which are relevant for the countries that are part of the Commonwealth of Independent States, formed after the breakup of the Soviet Union. The GOST suites are defined but require the GOST engine to be activated. The GOST engine is not part of the core OpenSSL since version 1.1.0.

Table  1.3.7.1.6 Miscellaneous keywords
Keyword Meaning
@SECLEVEL Configures the security level, which sets minimum security requirements.
@STRENGTH Sorts the current cipher suite list in order of encryption algorithm key length.
aGOST Cipher suites using GOST R 34.10 (either 2001 or 94) for authentication. Requires a GOST-capable engine.
aGOST01 Cipher suites using GOST R 34.10-2001 authentication.
aGOST94 Cipher suites using GOST R 34.10-94 authentication. Obsolete. Use GOST R 34.10-2001 instead.
kGOST Cipher suites using VKO 34.10 key exchange, specified in RFC 4357.
GOST94 Cipher suites using HMAC based on GOST R 34.11-94.
GOST89MAC Cipher suites using GOST 28147-89 MAC instead of HMAC.
PSK Cipher suites using PSK in any capacity.

1.3.7.2 Combining Keywords

In most cases, you’ll use keywords by themselves, but it’s also possible to combine them to select only suites that meet several requirements, by connecting two or more keywords with the + character. In the following example, we select suites that use the ECDHE key exchange in combination with AES-GCM:

$ openssl ciphers -v -s -tls1_2 'EECDH+AESGCM'
ECDHE-ECDSA-AES256-GCM-SHA384  TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384    TLSv1.2 Kx=ECDH Au=RSA   Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256  TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256    TLSv1.2 Kx=ECDH Au=RSA   Enc=AESGCM(128) Mac=AEAD

1.3.7.3 Building Cipher Suite Lists

The key concept in building a cipher suite configuration is that of the current suite list. The list always starts empty, without any suites, but every keyword that you add to the configuration string will change the list in some way. By default, new suites are appended to the list. In the following example, the configuration starts with all suites that use the ECDHE key exchange, followed by all suites that use the DHE key exchange:

$ openssl ciphers -v 'ECDHE:DHE'

The colon character is commonly used to separate keywords, but spaces and commas are equally acceptable. The following command produces the same output as the previous example:

$ openssl ciphers -v 'ECDHE DHE'

1.3.7.4 Keyword Modifiers

Keyword modifiers are characters you can place at the beginning of each keyword in order to change the default action (adding to the list) to something else. The following actions are supported:

Append

Add suites to the end of the list. If any of the suites are already on the list, they will remain in their present position. This is the default action, which is invoked when there is no modifier in front of the keyword.

Delete (-)

Remove all matching suites from the list, potentially allowing some other keyword to reintroduce them later.

Permanently delete (!)

Remove all matching suites from the list and prevent them from being added later by another keyword. This modifier is useful for specifying all the suites you never want to use, making further selection easier and preventing mistakes.

Move to the end (+)

Move all matching suites to the end of the list. This works only on existing suites; it never adds new suites to the list. This modifier is useful if you want to keep some weaker suites enabled but prefer the stronger ones. For example, the string AES:+AES256 enables all AES suites but pushes the 256-bit ones to the end.

1.3.7.4.1 Sorting

The @STRENGTH keyword serves a special purpose: it will not introduce or remove any suites, but it will sort them in order of descending cipher strength. Automatic sorting is an interesting idea, but it makes sense only in a perfect world in which cipher suites can actually be compared by cipher strength alone. In most cases, the highest-strength suites are not typically required. You often have them in your configuration only to interoperate with picky clients.

1.3.7.5 Handling Errors

There are two types of errors you might experience while working on your configuration. The first is a result of a typo or an attempt to use a keyword that does not exist:

$ openssl ciphers -v '@HIGH'
Error in cipher list
140460843755168:error:140E6118:SSL routines:SSL_CIPHER_PROCESS_RULESTR:invalid command:ssl_ciph.c:1317:

The output is cryptic, but it does contain an error message.

Another possibility is that you end up with an empty list of cipher suites, in which case you might see something similar to the following:

$ openssl ciphers -v 'SHA512'
Error in cipher list
140202299557536:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl_lib.c:1312:
1

With recent OpenSSL releases, you can use the legacy suite names that are specific to OpenSSL, but also the standard suite names.

< Prev
^ Table of Contents
Next >