----- Original Message ----- > From: "dE" <de.tec...@gmail.com> > To: openssl-dev@openssl.org > Sent: Tuesday, 14 October, 2014 6:39:11 AM > Subject: Re: CIPHER STRINGS > > On 10/13/14 17:09, Hubert Kario wrote: > > ----- Original Message ----- > >> From: "dE" <de.tec...@gmail.com> > >> To: openssl-dev@openssl.org > >> Sent: Monday, 13 October, 2014 5:38:28 AM > >> Subject: Re: CIPHER STRINGS > >> > >> On 10/13/14 01:13, Viktor Dukhovni wrote: > >>> On Sun, Oct 12, 2014 at 11:36:01PM +0530, dE wrote: > >>> > >>>> A command line tool. Like openssl list-ciphersuits > >>> My own preference in this case is complete and accurate documentation. > >>> > >>>> This'll also avoid updating the man page with long descriptive text. > >>> Even if a command-line tool is created, complete and accurate > >>> documentation is not optional. > >>> > >> Problem with the documentation is that it's not complete. Many of these > >> don't specify what does the algo do (auth, digest etc...). > >> > >> They're basically just writing the obvious with some notices about > >> openSSL specific implementation. > >> > >> So if you dont know about the algo, you've to google it anyway. > > backporting documentation fixes is much easier that code fixes (some > > distributions even have mechanisms to update just the man pages > > without need of issuing a new binary package) > > > > speaking of which, I did recently update ciphers man page on 1.0.1 > > branch with the intended goal to make it aligned with code > > actually shipping and more explicit with what different options do. > > If you think that it still has some unclear parts I'll gladly hear > > about them. > > > > See here for the current version: > > https://github.com/openssl/openssl/blob/OpenSSL_1_0_1-stable/doc/apps/ciphers.pod > > > > If the man page in your distro doesn't include those changes, open > > a bug report against the distro, we can't help much with this though. > > Thanks for the contribution. > > For suggest the kind of algorithm the cipher string targets to be placed > somewhere. > > e.g. kRSA, RSA, ADH, AECDH should have -- > > Category:Kx > > Many of these dont specify that these are Kx algorithms. > > Similarly, AES128, AES256, AES should have > > Category:Enc
It is sorted more or less this way, first key exchanges, then authentication algorithms, encryption algorithms and finally HMACs/PRFs. The exception being FORTEZZA, which is unsupported and you shouldn't use it and GOST algorithms which have very specific and limited use. Problem is that some of those aliases don't have one specific meaning. For example 'ECDH' will match the "regular" ECDHE key exchange, but it will also match aECDH ciphers, similarly with 'DH'. So you can't assign them to single category. -- Regards, Hubert Kario ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
