Hi OpenSSL folks-- In the message below, James Cloos points out that the OpenSSL ciphersuite string labels are not consistent with the grouping shorthand for DES and 3DES.
This seems similar to the situation for DHE (EDH) and ECDHE (EECDH),
which were known with incompatible/inconsistent terms across the project
UI, and were addressed in #3203 [0].
The changes would be in both input (specifying the ciphersuite
explicitly via e.g. ECDHE-ECDSA-3DES-EDE-CBC-SHA, which currently does
not work) and output (producing more well-normalized ciphersuite strings).
Changes to add aliases to the input should be backportable to all stable
versions, though i can see the argument for not backporting the changes
to the output on stable releases.
What do people think about cleaning this up? I can try to provide
patches if folks think this is worth fixing.
--dkg
[0] https://rt.openssl.org/Ticket/Display.html?id=3203
[1]
https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4
--- Begin Message --->>>>> "WL" == Watson Ladd <[email protected]> writes: WL> Do you know what your TLS configurations mean? If you use OpenSSL, WL> probably not: apparently "HIGH" enables ADH ciphersuites. It does so WL> before permitting AES128 with an authenticated ECDHE exchange. Sorting WL> by strength puts DES ahead of AES128: I've got no idea how that WL> happened. (Yes, DES: 3DES is indicated differently. Maybe it is really WL> 3DES, but even so...). With openssl-1.1g, I see no DES from HIGH, only 3DES. But you have to look carefully to realise that. The SRP and PSK suites which match the regex /DES/ use CBC3 to specify triple des; all other openssl suites which match /DES/ use 3DES to specify triple des. Gnutls, OTOH, always uses 3DES_EDE_CBC for the suites, and 3DES-CBC for the cipher. NSS’s tstclnt uses single-letter flags rather than names, but documents the triple des options with EDE3 for the ssl2 suite and 3DES for the ssl3 suites it supports. -JimC -- James Cloos <[email protected]> OpenPGP: 0x997A9F17ED7DAEA6 _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
--- End Message ---
signature.asc
Description: OpenPGP digital signature
