The command 'openssl ciphers -v DEFAULT' gives the following ciphers: DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1 AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1 DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5 DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1 DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1 AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5 RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1 DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 DES-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5 EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC2-CBC-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export EXP-RC4-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
Based on my limited understanding, an openssl client and server will do some 'hello' handshaking and select a cipher supported by both and with the highest security, correct? For people that uses openssl right out of the box and does not any special cipher selection, if we use the same version of openssl on both ends I assume the cipher used in the connection will be the first one, DHE-RSA-AES256-SHA, right? Alex On Aug 12, 2010, at 7:15 AM, Michael S. Zick wrote: > On Wed August 11 2010, Tim Cloud wrote: >> Let's pretend for a moment that an out of the box application uses openssl >> to provide access not through a browser, but rather through a SOAP client >> like Eclipse. >> And let's also say that you have no access to the code internal to that >> application. >> Is there any other way to limit the ciphers? >> Some kind of config file or a special way to compile the executable? >> > > The quick answer: > cipher list is not limited by an external, run-time, config file. > > I am a bit confused by the limits to your question, the two parts: > "have no access to the code internal to that application" > and the: > "special way to compile the executable" > seem to conflict (at least in my mind). > > I suppose you know what you meant - I'll go with that assumption. ;-) > > The cipers that might be used are established by agreement between client and > server - > Two ends at which control might be effected. > > Server end: (not mentioned in your limits) - remove the unwanted ciphers from > the openssl build. > I.E: If the server doesn't have them, it can't offer them, and the client can > choose one of them. > > Client end: If the client uses the dynamic openssl libraries - just do the > same as above. > > Client end: If the "I can't rebuild it" part of the client was staticly > linked against the openssl > libraries - then you will have to do a few handsprings - > > One possible choice - put a https (or other as required) proxy on your > gateway - edit the cipher > lists offered by client and/or server "on the fly". > Note: Does not sound like fun to me. > > Mike >> ________________________________________ >> From: owner-openssl-us...@openssl.org [owner-openssl-us...@openssl.org] On >> Behalf Of Kyle Hamilton [aerow...@gmail.com] >> Sent: Wednesday, August 11, 2010 9:11 PM >> To: openssl-users@openssl.org >> Cc: Alex Chen >> Subject: Re: Cipher selection >> >> No, OpenSSL chooses the cipher from the argument to >> SSL[_CTX]_set_cipher_list(3ssl) called on the SSL or the SSL_CTX structure. >> >> On 8/11/10 4:57 PM, Alex Chen wrote: >>> Does openssl choose the cipher from the pem file? If so, which section of >>> the following pem file sets the cipher for communication? >> >> --------------------------------------------------------------------- >> CONFIDENTIALITY NOTICE >> This e-mail is intended for the sole use of the individual(s) to whom it is >> addressed, and may contain information that is privileged, confidential and >> exempt from disclosure under applicable law. You are hereby notified that >> any dissemination, duplication, or distribution of this transmission by >> someone other than the intended addressee or its designated agent is >> strictly prohibited. If you receive this e-mail in error, please notify me >> immediately by replying to this e-mail. >> >> --------------------------------------------------------------------- >> >> >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-users@openssl.org >> Automated List Manager majord...@openssl.org >> >> > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
