Hi, Am 11.05.2015 um 13:48 schrieb Hubert Kario via RT: > On Saturday 09 May 2015 18:22:52 Benny Baumann via RT wrote: >> Hi, >> >> as the normal specification of cipher strings can be somewhat clumsy to >> use from time to time it would be nice if one could use the raw ID of a >> cipher (with all the usual operators): >> >> ALL:!0x00c012 >> Allow everything except TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA >> >> HIGH:-AES:+0x00c030 >> Allow all HIGH secure ciphers except AES, but explicitly include >> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 > > "+" operator doesn't add a cipher, it moves matching ones to end of list > This explains why GnuTLS and OpenSSL prodeuce vastly different results here ;-) Good to know. Wouldn't have ">" been a better choice than? ;-)
>> AES256:-0xc030:+AES+GCM >> Allow AES256, but (soft-)exclude TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, >> if it's not in the AESGCM ciphers list. > > again, you're describing what would happen with > AES256:-0xc030:AES+GCM > >> Additionally it would be awesome if one could simply use the names as >> they appear in the RFCs ;-) > > that would make the strings longer, wouldn't it? :) > Yes, but much more easily to compare with the RFCs which ciphers are to be selected. It's not as if you are writing such strings all the time. > master has support for printing the IETF/IANA names, see -stdname options to > ciphers subcommand... > Why would -stdname include -verbose? Does this work in reverse yet? Regards, BenBE.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
