On Thu, Oct 25, 2012, Hanno Bck wrote: > Hi, > > I think I've spotted a bug in openssl's handling of ciphersuites, but > I'm not entirely sure if I'm doing it right. > > When using just about any cipher suite string, I never get any TLS 1.1 > cipher suites. > > E.g. lets assume I want a pretty strong selection of cipher suites and > don't want to support any SSLv2/3, I could do: > > openssl ciphers -v '!SSLv3:!SSLv2:HIGH:MEDIUM:!LOW' > > It gives me only ciphers with TLSv1.2 listed. > However, at least some of them should be supported within TLSv1.1. > > Doesn't openssl support a single cipher suite that can be used with > TLSv1.1 and that doesn't require TLS 1.2? Or what would be the correct > ciphersuite string? > > I think what's happening here is that !sslv3 disables all cipher suites > that are part of sslv3, including those that are still supported by > tlsv1.1. However, I'm unsure if that's the intended behaviour. >
All ciphersuites supported by TLS v1.0 are also supported in SSLv3 in OpenSSL and there aren't any ciphersuites defined in any standard I know of that require TLS v1.1 but wont work in TLS v1.0. So by doing !SSLv3 you are effectively disabling all SSLv3/TLSv1 ciphersuites and since there aren't any TLS v1.1 ciphersuites you end up with TLS v1.2 only. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
