IT_Articles/2020/Manual_Email_Server_Interaction/resources/groundwork

todo: find way to choose preferred encryption

openssl has a command (at bottom of man) 
cipher
man cipher: 

EXAMPLES
       Verbose listing of all OpenSSL ciphers including NULL ciphers:

        openssl ciphers -v 'ALL:eNULL'

       Include all ciphers except NULL and anonymous DH then sort by strength:

        openssl ciphers -v 'ALL:!ADH:@STRENGTH'

       Include all ciphers except ones with no encryption (eNULL) or no authentication (aNULL):

        openssl ciphers -v 'ALL:!aNULL'

       Include only 3DES ciphers and then place RSA ciphers last:

        openssl ciphers -v '3DES:+RSA'

       Include all RC4 ciphers but leave out those without authentication:

        openssl ciphers -v 'RC4:!COMPLEMENTOFDEFAULT'

       Include all ciphers with RSA authentication but leave out ciphers without encryption.

        openssl ciphers -v 'RSA:!COMPLEMENTOFALL'

       Set security level to 2 and display all ciphers consistent with level 2:

        openssl ciphers -s -v 'ALL:@SECLEVEL=2'


digging deeper:

https://github.com/openssl/openssl/issues/7562




''

To everyone who is reading this issue: OpenSSL 1.1 uses an independent, new interface to set ciphersuits for TLSv1.3, the old ciphersuits interface is only effective up to TLSv1.2, so changing it has no effect for TLSv1.3. And as currently almost no application has adopted the new interface, there is no way to change ciphersuits for TLSv1.3.

But there is a workaround: you can change the global openssl.cnf to modify the default TLSv1.3 ciphersuits for OpenSSL itself, so every program in the system will use the ciphersuits you specified.

For example, appending these lines...

openssl_conf = default_conf

[default_conf]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
Ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256

After changing it, you'll see the new global default,

$ openssl ciphers -v ''
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD

The path to global openssl.cnf is usually OPENSSLDIR, which can be obtained by...

$ openssl version -a | grep OPENSSLDIR
OPENSSLDIR: "/etc/ssl"
''


goes no where. what a mess.
Oh, it's openssl ciphers
NOT
openssl cipher
don't get that mixed up.

root@zmctankhome:/etc/ssl# openssl ciphers -ciphersuites -help
Error setting TLSv1.3 ciphersuites
140089759171712:error:1426E0B9:SSL routines:ciphersuite_cb:no cipher match:../ssl/ssl_ciph.c:1294:


that didn't go anywhere on a search.

goal: disable openssl cipher (i.e. just one)

lots of dead ends
https://stackoverflow.com/questions/29162982/how-do-i-disable-a-particular-cipher-suite-in-openssl
only for c code
https://serverfault.com/questions/951775/disable-weak-cipher-ubuntu-16
is only for apache and ssh (poor subject title - misleading).

https://serverfault.com/questions/918082/openssl-disable-tlsv1-and-certain-insecure-ciphers-system-wide
here they recommend application specific files. 
no rule tht says there cant be a global. smwisicdt
bullshit.

man msmtp
 - An SMTP client
has tls priorities.

that should work. considered solved.