On 12/03/18 22:53, Chris Bare wrote: > I have a fairly basic server set up based on various examples I've seen. > > I run an nmap script I found against it and see only 16 ciphers listed, > none of which are supported by modern web browsers. > Yet when I run "openssl ciphers I get a list of 97. > > I realize some of these are old and deprecated etc, but where does the > default list come from? > > I tried this code to set it to use one of the more modern ciphers shown > in the the openssl ciphers output: > > char *ssl_cipher = "ECDHE-ECDSA-AES128-GCM-SHA256"; > if(!SSL_CTX_set_cipher_list(jav->ctx, ssl_cipher)) > return (false); > > but after that the nmap script doesn't find any ciphers. > > Any suggestions?
When you run "openssl ciphers" without other arguments it will give you the default set of ciphersuites. Not all of those will be useable by your server depending on other aspects of its configuration. For example PSK ciphersuites will only be available if you have configured a pre-shared-key (PSK). Most important is the type of certificate that your server is using, with typical types being RSA, ECDSA or DSA. It is possible to configure a server with more than one type of certificate - but if you've only got one then only ciphersuites compatible with that certificate will be used. In your example the ECDHE-ECDSA-AES128-GCM-SHA256 requires an ECDSA certificate to be present. If you haven't go one, and that's the only ciphersuite configured, then you won't be able to successfully make connections. Hope that helps, Matt -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users