Re: CIPHER STRINGS

[dE]

On 10/14/14 16:47, Hubert Kario wrote:
----- Original Message -----
From: "dE" <de.tec...@gmail.com>
To: openssl-dev@openssl.org
Sent: Tuesday, 14 October, 2014 6:39:11 AM
Subject: Re: CIPHER STRINGS
On 10/13/14 17:09, Hubert Kario wrote:
----- Original Message -----
From: "dE" <de.tec...@gmail.com>
To: openssl-dev@openssl.org
Sent: Monday, 13 October, 2014 5:38:28 AM
Subject: Re: CIPHER STRINGS

On 10/13/14 01:13, Viktor Dukhovni wrote:
On Sun, Oct 12, 2014 at 11:36:01PM +0530, dE wrote:

A command line tool. Like openssl list-ciphersuits
My own preference in this case is complete and accurate documentation.

This'll also avoid updating the man page with long descriptive text.
Even if a command-line tool is created, complete and accurate
documentation is not optional.

Problem with the documentation is that it's not complete. Many of these
don't specify what does the algo do (auth, digest etc...).

They're basically just writing the obvious with some notices about
openSSL specific implementation.

So if you dont know about the algo, you've to google it anyway.
backporting documentation fixes is much easier that code fixes (some
distributions even have mechanisms to update just the man pages
without need of issuing a new binary package)

speaking of which, I did recently update ciphers man page on 1.0.1
branch with the intended goal to make it aligned with code
actually shipping and more explicit with what different options do.
If you think that it still has some unclear parts I'll gladly hear
about them.

See here for the current version:
https://github.com/openssl/openssl/blob/OpenSSL_1_0_1-stable/doc/apps/ciphers.pod

If the man page in your distro doesn't include those changes, open
a bug report against the distro, we can't help much with this though.
Thanks for the contribution.

For suggest the kind of algorithm the cipher string targets to be placed
somewhere.

e.g. kRSA, RSA, ADH, AECDH should have --

Category:Kx

Many of these dont specify that these are Kx algorithms.

Similarly, AES128, AES256, AES should have

Category:Enc
It is sorted more or less this way, first key exchanges, then authentication
algorithms, encryption algorithms and finally HMACs/PRFs.

The exception being FORTEZZA, which is unsupported and you shouldn't use it
and GOST algorithms which have very specific and limited use.

Problem is that some of those aliases don't have one specific meaning.
For example 'ECDH' will match the "regular" ECDHE key exchange, but it
will also match aECDH ciphers, similarly with 'DH'. So you can't assign them
to single category.

You can make an 'others' category that way, or make duplicate entries.

I would suggest a table so you can map duplicate entries too. Hope the 
man page allows tables.

You know these strings are used in programs like Apache so they must be 
clear.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majord...@openssl.org