Hello, I believe I have found a bug with restricting cipher suites using SSL_CTX_set_cipher_list. When I provide a large filter list I still get the cipher suite "SRP-RSA-AES-256-CBC-SHA" as output, even though it is specified to be removed. When I only disable "SRP-RSA-AES-256-CBC-SHA", it is correctly not listed. Removing only a few cipher suites from the large filter results in SRP-RSA-AES-256-CBC-SHA no longer being shown.
$ openssl ciphers 'ALL:!aNULL:!eNULL:!ADH-DES-CBC-SHA:!ADH-RC4-MD5:!AECDH-RC4-SHA:!AES128-GCM-SHA256:!AES128-SHA:!AES128-SHA256:!AES256-GCM-SHA384:!AES256-SHA:!AES256-SHA256:!CAMELLIA128-SHA:!CAMELLIA256-SHA:!DES-CBC-MD5:!DES-CBC-SHA:!DES-CBC3-MD5:!DES-CBC3-SHA:!DHE-DSS-AES128-GCM-SHA256:!DHE-DSS-AES128-SHA:!DHE-DSS-AES128-SHA256:!DHE-DSS-AES256-GCM-SHA384:!DHE-DSS-AES256-SHA:!DHE-DSS-AES256-SHA256:!DHE-DSS-CAMELLIA128-SHA:!DHE-DSS-CAMELLIA256-SHA:!DHE-DSS-SEED-SHA:!DHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES128-SHA:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES256-GCM-SHA384:!DHE-RSA-AES256-SHA:!DHE-RSA-AES256-SHA256:!DHE-RSA-CAMELLIA128-SHA:!DHE-RSA-CAMELLIA256-SHA:!DHE-RSA-SEED-SHA:!ECDH-ECDSA-AES128-GCM-SHA256:!ECDH-ECDSA-AES128-SHA:!ECDH-ECDSA-AES128-SHA256:!ECDH-ECDSA-AES256-GCM-SHA384:!ECDH-ECDSA-AES256-SHA:!ECDH-ECDSA-AES256-SHA384:!ECDH-ECDSA-DES-CBC3-SHA:!ECDH-ECDSA-RC4-SHA:!ECDH-RSA-AES128-GCM-SHA256:!ECDH-RSA-AES128-SHA:!ECDH-RSA-AES128-SHA256:!ECDH-RSA-AES256-GCM-SHA384:!ECDH-RSA-AES256 -SHA:!ECDH-RSA-AES256-SHA384:!ECDH-RSA-DES-CBC3-SHA:!ECDH-RSA-RC4-SHA:!ECDHE-ECDSA-AES128-GCM-SHA256:!ECDHE-ECDSA-AES128-SHA:!ECDHE-ECDSA-AES128-SHA256:!ECDHE-ECDSA-AES256-GCM-SHA384:!ECDHE-ECDSA-AES256-SHA:!ECDHE-ECDSA-AES256-SHA384:!ECDHE-ECDSA-DES-CBC3-SHA:!ECDHE-ECDSA-RC4-SHA:!ECDHE-RSA-AES128-GCM-SHA256:!ECDHE-RSA-AES128-SHA:!ECDHE-RSA-AES128-SHA256:!ECDHE-RSA-AES256-GCM-SHA384:!ECDHE-RSA-AES256-SHA:!ECDHE-RSA-AES256-SHA384:!ECDHE-RSA-DES-CBC3-SHA:!ECDHE-RSA-RC4-SHA:!EDH-DSS-DES-CBC-SHA:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC-SHA:!EDH-RSA-DES-CBC3-SHA:!EXP-ADH-DES-CBC-SHA:!EXP-ADH-RC4-MD5:!EXP-DES-CBC-SHA:!EXP-EDH-DSS-DES-CBC-SHA:!EXP-EDH-RSA-DES-CBC-SHA:!EXP-RC2-CBC-MD5:!EXP-RC4-MD5:!IDEA-CBC-MD5:!IDEA-CBC-SHA:!NULL-MD5:!PSK-3DES-EDE-CBC-SHA:!PSK-AES128-CBC-SHA:!PSK-AES256-CBC-SHA:!PSK-RC4-SHA:!RC2-CBC-MD5:!RC4-MD5:!RC4-SHA:!SEED-SHA:!SRP-DSS-3DES-EDE-CBC-SHA:!SRP-DSS-AES-128-CBC-SHA:!SRP-DSS-AES-256-CBC-SHA:!SRP-RSA-3DES-EDE-CBC-SHA:!SRP-RSA-AES-128-CBC-SHA:!SRP-RSA-AES-256-CB C-SHA:@STRENGTH' I get the output "SRP-RSA-AES-256-CBC-SHA" which is not expected. No error messages are printed $ openssl ciphers 'ALL:!aNULL:!eNULL:!AES128-SHA:!AES128-SHA256:!AES256-GCM-SHA384:!AES256-SHA:!AES256-SHA256:!CAMELLIA128-SHA:!CAMELLIA256-SHA:!DES-CBC-MD5:!DES-CBC-SHA:!DES-CBC3-MD5:!DES-CBC3-SHA:!DHE-DSS-AES128-GCM-SHA256:!DHE-DSS-AES128-SHA:!DHE-DSS-AES128-SHA256:!DHE-DSS-AES256-GCM-SHA384:!DHE-DSS-AES256-SHA:!DHE-DSS-AES256-SHA256:!DHE-DSS-CAMELLIA128-SHA:!DHE-DSS-CAMELLIA256-SHA:!DHE-DSS-SEED-SHA:!DHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES128-SHA:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES256-GCM-SHA384:!DHE-RSA-AES256-SHA:!DHE-RSA-AES256-SHA256:!DHE-RSA-CAMELLIA128-SHA:!DHE-RSA-CAMELLIA256-SHA:!DHE-RSA-SEED-SHA:!ECDH-ECDSA-AES128-GCM-SHA256:!ECDH-ECDSA-AES128-SHA:!ECDH-ECDSA-AES128-SHA256:!ECDH-ECDSA-AES256-GCM-SHA384:!ECDH-ECDSA-AES256-SHA:!ECDH-ECDSA-AES256-SHA384:!ECDH-ECDSA-DES-CBC3-SHA:!ECDH-ECDSA-RC4-SHA:!ECDH-RSA-AES128-GCM-SHA256:!ECDH-RSA-AES128-SHA:!ECDH-RSA-AES128-SHA256:!ECDH-RSA-AES256-GCM-SHA384:!ECDH-RSA-AES256-SHA:!ECDH-RSA-AES256-SHA384:!ECDH-RSA-DES-CBC3-SHA:!ECDH-RSA-RC 4-SHA:!ECDHE-ECDSA-AES128-GCM-SHA256:!ECDHE-ECDSA-AES128-SHA:!ECDHE-ECDSA-AES128-SHA256:!ECDHE-ECDSA-AES256-GCM-SHA384:!ECDHE-ECDSA-AES256-SHA:!ECDHE-ECDSA-AES256-SHA384:!ECDHE-ECDSA-DES-CBC3-SHA:!ECDHE-ECDSA-RC4-SHA:!ECDHE-RSA-AES128-GCM-SHA256:!ECDHE-RSA-AES128-SHA:!ECDHE-RSA-AES128-SHA256:!ECDHE-RSA-AES256-GCM-SHA384:!ECDHE-RSA-AES256-SHA:!ECDHE-RSA-AES256-SHA384:!ECDHE-RSA-DES-CBC3-SHA:!ECDHE-RSA-RC4-SHA:!EDH-DSS-DES-CBC-SHA:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC-SHA:!EDH-RSA-DES-CBC3-SHA:!EXP-ADH-DES-CBC-SHA:!EXP-ADH-RC4-MD5:!EXP-DES-CBC-SHA:!EXP-EDH-DSS-DES-CBC-SHA:!EXP-EDH-RSA-DES-CBC-SHA:!EXP-RC2-CBC-MD5:!EXP-RC4-MD5:!IDEA-CBC-MD5:!IDEA-CBC-SHA:!NULL-MD5:!PSK-3DES-EDE-CBC-SHA:!PSK-AES128-CBC-SHA:!PSK-AES256-CBC-SHA:!PSK-RC4-SHA:!RC2-CBC-MD5:!RC4-MD5:!RC4-SHA:!SEED-SHA:!SRP-DSS-3DES-EDE-CBC-SHA:!SRP-DSS-AES-128-CBC-SHA:!SRP-DSS-AES-256-CBC-SHA:!SRP-RSA-3DES-EDE-CBC-SHA:!SRP-RSA-AES-128-CBC-SHA:!SRP-RSA-AES-256-CBC-SHA:@STRENGTH' | tr ':' '\n' | grep SRP-RSA-AES-256-CBC-SHA I get no output as expected. $ openssl ciphers 'ALL:!aNULL:!eNULL:!SRP-RSA-AES-256-CBC-SHA' | tr ':' '\n' | grep SRP-RSA-AES-256-CBC-SHA I get no output as expected. $ openssl version OpenSSL 1.0.1e 11 Feb 2013 $ uname -srvo Linux 3.2.0-4-amd64 #1 SMP Debian 3.2.51-1 GNU/Linux $ lsb_release -a No LSB modules are available. Distributor ID: Debian Description: Debian GNU/Linux 7.3 (wheezy) Release: 7.3 Codename: wheezy Many thanks, Matthew Bradbury Hitachi Data Systems ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org