Thanks for the reply, I am trying to disable all the ciphers and then only enable the ciphers captured by the HIGH, SSLv3, TLSv1, MEDIUM, and SSLv2 list (these are maintained by the openssl guys i think... http://www.openssl.org/docs/apps/ciphers.html ). Explicitly turning off the NULL ciphers. Whenever possible I want to try and use SHA digests instead of MD5 since MD5 is no longer the approved digest, but those are preferred above non-digested ciphers (which are not present in SSLv2 and later, but...).
After poking about the net a bit more (thanks to the Ah Ha of the ! that you listed below) I have revised this to HIGH:+SSLv3:+TLSv1:MEDIUM: +SSLv2:!aNULL:!NULL:@STRENGTH:+SHA:+MD5 Which yields # openssl ciphers -v 'HIGH:+SSLv3:+TLSv1:MEDIUM:+SSLv2:! aNULL:!NULL:@STRENGTH:+SHA:+MD5' DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1 AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1 DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1 DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1 AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5 RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5 RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 This tells me that now I am actually selecting a valid cipher list, but the start-up problem remains. TLS: could not set cipher list HIGH:+SSLv3:+TLSv1:MEDIUM:+SSLv2:!aNULL:! NULL:@STRENGTH:+SHA:+MD5. main: TLS init def ctx failed: -1 slapd destroy: freeing system resources. slapd stopped. OpenLDAP 2.4.7-5 on Debian x86 installed from apt Pat On Mon, 2008-03-24 at 12:44 -0600, Philip Guenther wrote: > On Mon, 24 Mar 2008, Pat Riehecky wrote: > > I am trying to limit the cipher list for TLS negotiations, but I don't > > seem to be able to do this..... > ... > > TLS: could not set cipher list !ALL:HIGH:+SSLv3:+TLSv1:MEDIUM:+SSLv2:! > > aNULL:!NULL:+SHA:+MD5. > > main: TLS init def ctx failed: -1 > > You can test your cipher list expression by passing it to the "openssl > ciphers" command: > > $ openssl ciphers -v > !ALL:HIGH:+SSLv3:+TLSv1:MEDIUM:+SSLv2:!aNULL:!NULL:+SHA:+MD5 > Error in cipher list > 16507:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher > match:/usr/src/lib/libssl/src/ssl/ssl_lib.c:1144: > $ > > So your cipher list disables all the ciphers. The error is in the first > term: > If `!' is used, then the ciphers are permanently deleted from the list. > The ciphers deleted can never reappear in the list even if they are ex- > plicitly stated. > > So, your "!ALL" completely removes the "ALL" ciphers from the list and > nothing can reinsert them after that. > > > Offhand, it's not clear what you're trying to accomplish with that cipher > list expression, so it's not clear what the right 'fix' is. > > > Philip Guenther >
