todo: find way to choose preferred encryption openssl has a command (at bottom of man) cipher man cipher: EXAMPLES Verbose listing of all OpenSSL ciphers including NULL ciphers: openssl ciphers -v 'ALL:eNULL' Include all ciphers except NULL and anonymous DH then sort by strength: openssl ciphers -v 'ALL:!ADH:@STRENGTH' Include all ciphers except ones with no encryption (eNULL) or no authentication (aNULL): openssl ciphers -v 'ALL:!aNULL' Include only 3DES ciphers and then place RSA ciphers last: openssl ciphers -v '3DES:+RSA' Include all RC4 ciphers but leave out those without authentication: openssl ciphers -v 'RC4:!COMPLEMENTOFDEFAULT' Include all ciphers with RSA authentication but leave out ciphers without encryption. openssl ciphers -v 'RSA:!COMPLEMENTOFALL' Set security level to 2 and display all ciphers consistent with level 2: openssl ciphers -s -v 'ALL:@SECLEVEL=2' digging deeper: https://github.com/openssl/openssl/issues/7562 '' To everyone who is reading this issue: OpenSSL 1.1 uses an independent, new interface to set ciphersuits for TLSv1.3, the old ciphersuits interface is only effective up to TLSv1.2, so changing it has no effect for TLSv1.3. And as currently almost no application has adopted the new interface, there is no way to change ciphersuits for TLSv1.3. But there is a workaround: you can change the global openssl.cnf to modify the default TLSv1.3 ciphersuits for OpenSSL itself, so every program in the system will use the ciphersuits you specified. For example, appending these lines... openssl_conf = default_conf [default_conf] ssl_conf = ssl_sect [ssl_sect] system_default = system_default_sect [system_default_sect] Ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256 After changing it, you'll see the new global default, $ openssl ciphers -v '' TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD The path to global openssl.cnf is usually OPENSSLDIR, which can be obtained by... $ openssl version -a | grep OPENSSLDIR OPENSSLDIR: "/etc/ssl" '' goes no where. what a mess. Oh, it's openssl ciphers NOT openssl cipher don't get that mixed up. root@zmctankhome:/etc/ssl# openssl ciphers -ciphersuites -help Error setting TLSv1.3 ciphersuites 140089759171712:error:1426E0B9:SSL routines:ciphersuite_cb:no cipher match:../ssl/ssl_ciph.c:1294: that didn't go anywhere on a search. goal: disable openssl cipher (i.e. just one) lots of dead ends https://stackoverflow.com/questions/29162982/how-do-i-disable-a-particular-cipher-suite-in-openssl only for c code https://serverfault.com/questions/951775/disable-weak-cipher-ubuntu-16 is only for apache and ssh (poor subject title - misleading). https://serverfault.com/questions/918082/openssl-disable-tlsv1-and-certain-insecure-ciphers-system-wide here they recommend application specific files. no rule tht says there cant be a global. smwisicdt bullshit. man msmtp - An SMTP client has tls priorities. that should work. considered solved.