Articles I've written for customers on IT issues.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

108 lines
3.2 KiB

  1. todo: find way to choose preferred encryption
  2. openssl has a command (at bottom of man)
  3. cipher
  4. man cipher:
  5. EXAMPLES
  6. Verbose listing of all OpenSSL ciphers including NULL ciphers:
  7. openssl ciphers -v 'ALL:eNULL'
  8. Include all ciphers except NULL and anonymous DH then sort by strength:
  9. openssl ciphers -v 'ALL:!ADH:@STRENGTH'
  10. Include all ciphers except ones with no encryption (eNULL) or no authentication (aNULL):
  11. openssl ciphers -v 'ALL:!aNULL'
  12. Include only 3DES ciphers and then place RSA ciphers last:
  13. openssl ciphers -v '3DES:+RSA'
  14. Include all RC4 ciphers but leave out those without authentication:
  15. openssl ciphers -v 'RC4:!COMPLEMENTOFDEFAULT'
  16. Include all ciphers with RSA authentication but leave out ciphers without encryption.
  17. openssl ciphers -v 'RSA:!COMPLEMENTOFALL'
  18. Set security level to 2 and display all ciphers consistent with level 2:
  19. openssl ciphers -s -v 'ALL:@SECLEVEL=2'
  20. digging deeper:
  21. https://github.com/openssl/openssl/issues/7562
  22. ''
  23. To everyone who is reading this issue: OpenSSL 1.1 uses an independent, new interface to set ciphersuits for TLSv1.3, the old ciphersuits interface is only effective up to TLSv1.2, so changing it has no effect for TLSv1.3. And as currently almost no application has adopted the new interface, there is no way to change ciphersuits for TLSv1.3.
  24. But there is a workaround: you can change the global openssl.cnf to modify the default TLSv1.3 ciphersuits for OpenSSL itself, so every program in the system will use the ciphersuits you specified.
  25. For example, appending these lines...
  26. openssl_conf = default_conf
  27. [default_conf]
  28. ssl_conf = ssl_sect
  29. [ssl_sect]
  30. system_default = system_default_sect
  31. [system_default_sect]
  32. Ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
  33. After changing it, you'll see the new global default,
  34. $ openssl ciphers -v ''
  35. TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD
  36. TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
  37. TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD
  38. The path to global openssl.cnf is usually OPENSSLDIR, which can be obtained by...
  39. $ openssl version -a | grep OPENSSLDIR
  40. OPENSSLDIR: "/etc/ssl"
  41. ''
  42. goes no where. what a mess.
  43. Oh, it's openssl ciphers
  44. NOT
  45. openssl cipher
  46. don't get that mixed up.
  47. root@zmctankhome:/etc/ssl# openssl ciphers -ciphersuites -help
  48. Error setting TLSv1.3 ciphersuites
  49. 140089759171712:error:1426E0B9:SSL routines:ciphersuite_cb:no cipher match:../ssl/ssl_ciph.c:1294:
  50. that didn't go anywhere on a search.
  51. goal: disable openssl cipher (i.e. just one)
  52. lots of dead ends
  53. https://stackoverflow.com/questions/29162982/how-do-i-disable-a-particular-cipher-suite-in-openssl
  54. only for c code
  55. https://serverfault.com/questions/951775/disable-weak-cipher-ubuntu-16
  56. is only for apache and ssh (poor subject title - misleading).
  57. https://serverfault.com/questions/918082/openssl-disable-tlsv1-and-certain-insecure-ciphers-system-wide
  58. here they recommend application specific files.
  59. no rule tht says there cant be a global. smwisicdt
  60. bullshit.
  61. man msmtp
  62. - An SMTP client
  63. has tls priorities.
  64. that should work. considered solved.