On Wed, Jun 03, 2020 at 07:05:32PM +0200, Claus Assmann wrote:
> Just curious: Why is the output of
> openssl ciphers MEDIUM
> "empty" for 3.0.0.a2?
There are no ciphers available by default that are at the MEDIUM
level (which, to be honest, does not make a huge amount of sense at this
point anyway -- there's not a clear spot between "good" and "bad" to
bucket things into).
> Error in cipher list
> 00:00:00:00:error:SSL routines:SSL_CTX_set_cipher_list:no cipher
> match:ssl/ssl_lib.c:2705:
>
> Using 1.1.1 lists several, and at least
> TLS_AES_128_GCM_SHA256
> is also listed by
> openssl-3.0.0.a2 ciphers
TLS_* are TLS 1.3 ciphers, which in the parlance of openssl configuration
are known as "ciphersuites" (vs. "cipher list"), and are not affected
by the "cipher list" that you provide via SSL_CTX_set_cipher_list().
My
$ openssl version
OpenSSL 1.1.1 11 Sep 2018
only reports the TLS 1.3 ciphersuites and some SEED ciphers for an
input of MEDIUM, and IIRC the SEED ciphers have been foisted off to the
legacy provider and are not available by default.
> Has the "classification" of ciphers changed?
> I didn't see anything obvious in CHANGES.
This may just be the "legacy provider" bit -- the SEED ciphers are
still listed as "MEDIUM" in the code (and there are some others that
are gated behind ssl-weak-ciphers).
-Ben
