Home Books Training Newsletter Resources
Sign up Log in
book cover

OpenSSL Cookbook  3rd Edition

The definitive guide to using the OpenSSL command line for configuration and testing. Topics covered in this book include key and certificate management, server configuration, a step by step guide to creating a private CA, and testing of online services. Written by Ivan Ristić.


1.3.1 Obtaining Supported Suites

Let’s start this deep dive by first determining which suites are supported by your OpenSSL installation. To do this, invoke the ciphers command with the -v switch and ALL:COMPLEMENTOFALL as a parameter:

$ openssl ciphers -v 'ALL:COMPLEMENTOFALL'
☞︎
Tip

From OpenSSL 1.0.0, the ciphers command supports the uppercase -V switch to provide extra-verbose output. In this mode, the output will also contain suite IDs, which are always handy to have. For example, OpenSSL doesn’t always use the RFC names for suites; in such cases, you must use the IDs to cross-check. In this section, I use the lowercase -v because the output is easier to show in the book.

At this point you will observe a lot of output, consisting of everything your installation of OpenSSL has to offer. In my case, there were 162 suites in the output. Let’s take a look at one line:

TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD

Each line of output provides extended information on one suite. From left to right:

  1. Suite name

  2. Required minimum protocol version1

  3. Key exchange algorithm

  4. Authentication algorithm

  5. Encryption algorithm and strength

  6. MAC (integrity) algorithm

Traditionally, OpenSSL didn’t use official suite names, although it does now for TLS 1.3 suites. As of recently, when you add the -stdname switch to the ciphers tool, you’ll get the official suite names and OpenSSL names at the same time.

🛈︎
Note

You may notice that all TLS 1.3 suites have any under key exchange and authentication. This is because this protocol version moved these two aspects of the handshake out of the cipher suites and into the protocol itself. It also removed all insecure algorithms, so in this context any isn’t bad or insecure.


1

Some suites on the list show SSLv3 in the protocol column. This is nothing to worry about. It only means that the suite is compatible with this old (and obsolete) protocol version. Your configuration will not downgrade to SSL 3.0 if these suites are used.

< Prev
^ Table of Contents
Next >
@feistyduck

Books

  • Bulletproof TLS and PKI
  • ModSecurity Handbook
  • OpenSSL Cookbook

Training

  • Practical TLS and PKI

Resources

  • Newsletter
  • SSL/TLS and PKI History
  • Archived Books
  • Bulletproof TLS Guide

Company

  • Support
  • Website Terms of Use
  • Terms and Conditions
  • Privacy Policy
  • About Us