OLD | NEW |
1 =pod | 1 =pod |
2 | 2 |
3 =head1 NAME | 3 =head1 NAME |
4 | 4 |
5 ciphers - SSL cipher display and cipher list tool. | 5 ciphers - SSL cipher display and cipher list tool. |
6 | 6 |
7 =head1 SYNOPSIS | 7 =head1 SYNOPSIS |
8 | 8 |
9 B<openssl> B<ciphers> | 9 B<openssl> B<ciphers> |
10 [B<-v>] | 10 [B<-v>] |
| 11 [B<-V>] |
11 [B<-ssl2>] | 12 [B<-ssl2>] |
12 [B<-ssl3>] | 13 [B<-ssl3>] |
13 [B<-tls1>] | 14 [B<-tls1>] |
14 [B<cipherlist>] | 15 [B<cipherlist>] |
15 | 16 |
16 =head1 DESCRIPTION | 17 =head1 DESCRIPTION |
17 | 18 |
18 The B<cipherlist> command converts OpenSSL cipher lists into ordered | 19 The B<ciphers> command converts textual OpenSSL cipher lists into ordered |
19 SSL cipher preference lists. It can be used as a test tool to determine | 20 SSL cipher preference lists. It can be used as a test tool to determine |
20 the appropriate cipherlist. | 21 the appropriate cipherlist. |
21 | 22 |
22 =head1 COMMAND OPTIONS | 23 =head1 COMMAND OPTIONS |
23 | 24 |
24 =over 4 | 25 =over 4 |
25 | 26 |
26 =item B<-v> | 27 =item B<-v> |
27 | 28 |
28 verbose option. List ciphers with a complete description of | 29 Verbose option. List ciphers with a complete description of |
29 protocol version (SSLv2 or SSLv3; the latter includes TLS), key exchange, | 30 protocol version (SSLv2 or SSLv3; the latter includes TLS), key exchange, |
30 authentication, encryption and mac algorithms used along with any key size | 31 authentication, encryption and mac algorithms used along with any key size |
31 restrictions and whether the algorithm is classed as an "export" cipher. | 32 restrictions and whether the algorithm is classed as an "export" cipher. |
32 Note that without the B<-v> option, ciphers may seem to appear twice | 33 Note that without the B<-v> option, ciphers may seem to appear twice |
33 in a cipher list; this is when similar ciphers are available for | 34 in a cipher list; this is when similar ciphers are available for |
34 SSL v2 and for SSL v3/TLS v1. | 35 SSL v2 and for SSL v3/TLS v1. |
35 | 36 |
| 37 =item B<-V> |
| 38 |
| 39 Like B<-V>, but include cipher suite codes in output (hex format). |
| 40 |
36 =item B<-ssl3> | 41 =item B<-ssl3> |
37 | 42 |
38 only include SSL v3 ciphers. | 43 only include SSL v3 ciphers. |
39 | 44 |
40 =item B<-ssl2> | 45 =item B<-ssl2> |
41 | 46 |
42 only include SSL v2 ciphers. | 47 only include SSL v2 ciphers. |
43 | 48 |
44 =item B<-tls1> | 49 =item B<-tls1> |
45 | 50 |
(...skipping 51 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
97 the current cipher list in order of encryption algorithm key length. | 102 the current cipher list in order of encryption algorithm key length. |
98 | 103 |
99 =head1 CIPHER STRINGS | 104 =head1 CIPHER STRINGS |
100 | 105 |
101 The following is a list of all permitted cipher strings and their meanings. | 106 The following is a list of all permitted cipher strings and their meanings. |
102 | 107 |
103 =over 4 | 108 =over 4 |
104 | 109 |
105 =item B<DEFAULT> | 110 =item B<DEFAULT> |
106 | 111 |
107 the default cipher list. This is determined at compile time and is normally | 112 the default cipher list. This is determined at compile time and, as of OpenSSL |
108 B<AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH>. This must be the first cipher string | 113 1.0.0, is normally B<ALL:!aNULL:!eNULL>. This must be the first cipher string |
109 specified. | 114 specified. |
110 | 115 |
111 =item B<COMPLEMENTOFDEFAULT> | 116 =item B<COMPLEMENTOFDEFAULT> |
112 | 117 |
113 the ciphers included in B<ALL>, but not enabled by default. Currently | 118 the ciphers included in B<ALL>, but not enabled by default. Currently |
114 this is B<ADH>. Note that this rule does not cover B<eNULL>, which is | 119 this is B<ADH>. Note that this rule does not cover B<eNULL>, which is |
115 not included by B<ALL> (use B<COMPLEMENTOFALL> if necessary). | 120 not included by B<ALL> (use B<COMPLEMENTOFALL> if necessary). |
116 | 121 |
117 =item B<ALL> | 122 =item B<ALL> |
118 | 123 |
119 all ciphers suites except the B<eNULL> ciphers which must be explicitly enabled. | 124 all cipher suites except the B<eNULL> ciphers which must be explicitly enabled; |
| 125 as of OpenSSL, the B<ALL> cipher suites are reasonably ordered by default |
120 | 126 |
121 =item B<COMPLEMENTOFALL> | 127 =item B<COMPLEMENTOFALL> |
122 | 128 |
123 the cipher suites not enabled by B<ALL>, currently being B<eNULL>. | 129 the cipher suites not enabled by B<ALL>, currently being B<eNULL>. |
124 | 130 |
125 =item B<HIGH> | 131 =item B<HIGH> |
126 | 132 |
127 "high" encryption cipher suites. This currently means those with key lengths lar
ger | 133 "high" encryption cipher suites. This currently means those with key lengths lar
ger |
128 than 128 bits, and some cipher suites with 128-bit keys. | 134 than 128 bits, and some cipher suites with 128-bit keys. |
129 | 135 |
(...skipping 108 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
238 cipher suites using SEED. | 244 cipher suites using SEED. |
239 | 245 |
240 =item B<MD5> | 246 =item B<MD5> |
241 | 247 |
242 cipher suites using MD5. | 248 cipher suites using MD5. |
243 | 249 |
244 =item B<SHA1>, B<SHA> | 250 =item B<SHA1>, B<SHA> |
245 | 251 |
246 cipher suites using SHA1. | 252 cipher suites using SHA1. |
247 | 253 |
| 254 =item B<aGOST> |
| 255 |
| 256 cipher suites using GOST R 34.10 (either 2001 or 94) for authenticaction |
| 257 (needs an engine supporting GOST algorithms). |
| 258 |
| 259 =item B<aGOST01> |
| 260 |
| 261 cipher suites using GOST R 34.10-2001 authentication. |
| 262 |
| 263 =item B<aGOST94> |
| 264 |
| 265 cipher suites using GOST R 34.10-94 authentication (note that R 34.10-94 |
| 266 standard has been expired so use GOST R 34.10-2001) |
| 267 |
| 268 =item B<kGOST> |
| 269 |
| 270 cipher suites, using VKO 34.10 key exchange, specified in the RFC 4357. |
| 271 |
| 272 =item B<GOST94> |
| 273 |
| 274 cipher suites, using HMAC based on GOST R 34.11-94. |
| 275 |
| 276 =item B<GOST89MAC> |
| 277 |
| 278 cipher suites using GOST 28147-89 MAC B<instead of> HMAC. |
| 279 |
| 280 |
248 =back | 281 =back |
249 | 282 |
250 =head1 CIPHER SUITE NAMES | 283 =head1 CIPHER SUITE NAMES |
251 | 284 |
252 The following lists give the SSL or TLS cipher suites names from the | 285 The following lists give the SSL or TLS cipher suites names from the |
253 relevant specification and their OpenSSL equivalents. It should be noted, | 286 relevant specification and their OpenSSL equivalents. It should be noted, |
254 that several cipher suite names do not include the authentication used, | 287 that several cipher suite names do not include the authentication used, |
255 e.g. DES-CBC3-SHA. In these cases, RSA authentication is used. | 288 e.g. DES-CBC3-SHA. In these cases, RSA authentication is used. |
256 | 289 |
257 =head2 SSL v3.0 cipher suites. | 290 =head2 SSL v3.0 cipher suites. |
(...skipping 105 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
363 TLS_RSA_WITH_SEED_CBC_SHA SEED-SHA | 396 TLS_RSA_WITH_SEED_CBC_SHA SEED-SHA |
364 | 397 |
365 TLS_DH_DSS_WITH_SEED_CBC_SHA Not implemented. | 398 TLS_DH_DSS_WITH_SEED_CBC_SHA Not implemented. |
366 TLS_DH_RSA_WITH_SEED_CBC_SHA Not implemented. | 399 TLS_DH_RSA_WITH_SEED_CBC_SHA Not implemented. |
367 | 400 |
368 TLS_DHE_DSS_WITH_SEED_CBC_SHA DHE-DSS-SEED-SHA | 401 TLS_DHE_DSS_WITH_SEED_CBC_SHA DHE-DSS-SEED-SHA |
369 TLS_DHE_RSA_WITH_SEED_CBC_SHA DHE-RSA-SEED-SHA | 402 TLS_DHE_RSA_WITH_SEED_CBC_SHA DHE-RSA-SEED-SHA |
370 | 403 |
371 TLS_DH_anon_WITH_SEED_CBC_SHA ADH-SEED-SHA | 404 TLS_DH_anon_WITH_SEED_CBC_SHA ADH-SEED-SHA |
372 | 405 |
| 406 =head2 GOST ciphersuites from draft-chudov-cryptopro-cptls, extending TLS v1.0 |
| 407 |
| 408 Note: these ciphers require an engine which including GOST cryptographic |
| 409 algorithms, such as the B<ccgost> engine, included in the OpenSSL distribution. |
| 410 |
| 411 TLS_GOSTR341094_WITH_28147_CNT_IMIT GOST94-GOST89-GOST89 |
| 412 TLS_GOSTR341001_WITH_28147_CNT_IMIT GOST2001-GOST89-GOST89 |
| 413 TLS_GOSTR341094_WITH_NULL_GOSTR3411 GOST94-NULL-GOST94 |
| 414 TLS_GOSTR341001_WITH_NULL_GOSTR3411 GOST2001-NULL-GOST94 |
| 415 |
373 =head2 Additional Export 1024 and other cipher suites | 416 =head2 Additional Export 1024 and other cipher suites |
374 | 417 |
375 Note: these ciphers can also be used in SSL v3. | 418 Note: these ciphers can also be used in SSL v3. |
376 | 419 |
377 TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA EXP1024-DES-CBC-SHA | 420 TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA EXP1024-DES-CBC-SHA |
378 TLS_RSA_EXPORT1024_WITH_RC4_56_SHA EXP1024-RC4-SHA | 421 TLS_RSA_EXPORT1024_WITH_RC4_56_SHA EXP1024-RC4-SHA |
379 TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA EXP1024-DHE-DSS-DES-CBC-SHA | 422 TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA EXP1024-DHE-DSS-DES-CBC-SHA |
380 TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA EXP1024-DHE-DSS-RC4-SHA | 423 TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA EXP1024-DHE-DSS-RC4-SHA |
381 TLS_DHE_DSS_WITH_RC4_128_SHA DHE-DSS-RC4-SHA | 424 TLS_DHE_DSS_WITH_RC4_128_SHA DHE-DSS-RC4-SHA |
382 | 425 |
(...skipping 38 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
421 encryption. | 464 encryption. |
422 | 465 |
423 openssl ciphers -v 'RSA:!COMPLEMENTOFALL' | 466 openssl ciphers -v 'RSA:!COMPLEMENTOFALL' |
424 | 467 |
425 =head1 SEE ALSO | 468 =head1 SEE ALSO |
426 | 469 |
427 L<s_client(1)|s_client(1)>, L<s_server(1)|s_server(1)>, L<ssl(3)|ssl(3)> | 470 L<s_client(1)|s_client(1)>, L<s_server(1)|s_server(1)>, L<ssl(3)|ssl(3)> |
428 | 471 |
429 =head1 HISTORY | 472 =head1 HISTORY |
430 | 473 |
431 The B<COMPLENTOFALL> and B<COMPLEMENTOFDEFAULT> selection options were | 474 The B<COMPLENTOFALL> and B<COMPLEMENTOFDEFAULT> selection options |
432 added in version 0.9.7. | 475 for cipherlist strings were added in OpenSSL 0.9.7. |
| 476 The B<-V> option for the B<ciphers> command was added in OpenSSL 1.0.0. |
433 | 477 |
434 =cut | 478 =cut |
OLD | NEW |