Articles I've written for customers on IT issues.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 

108 lines
3.2 KiB

todo: find way to choose preferred encryption
openssl has a command (at bottom of man)
cipher
man cipher:
EXAMPLES
Verbose listing of all OpenSSL ciphers including NULL ciphers:
openssl ciphers -v 'ALL:eNULL'
Include all ciphers except NULL and anonymous DH then sort by strength:
openssl ciphers -v 'ALL:!ADH:@STRENGTH'
Include all ciphers except ones with no encryption (eNULL) or no authentication (aNULL):
openssl ciphers -v 'ALL:!aNULL'
Include only 3DES ciphers and then place RSA ciphers last:
openssl ciphers -v '3DES:+RSA'
Include all RC4 ciphers but leave out those without authentication:
openssl ciphers -v 'RC4:!COMPLEMENTOFDEFAULT'
Include all ciphers with RSA authentication but leave out ciphers without encryption.
openssl ciphers -v 'RSA:!COMPLEMENTOFALL'
Set security level to 2 and display all ciphers consistent with level 2:
openssl ciphers -s -v 'ALL:@SECLEVEL=2'
digging deeper:
https://github.com/openssl/openssl/issues/7562
''
To everyone who is reading this issue: OpenSSL 1.1 uses an independent, new interface to set ciphersuits for TLSv1.3, the old ciphersuits interface is only effective up to TLSv1.2, so changing it has no effect for TLSv1.3. And as currently almost no application has adopted the new interface, there is no way to change ciphersuits for TLSv1.3.
But there is a workaround: you can change the global openssl.cnf to modify the default TLSv1.3 ciphersuits for OpenSSL itself, so every program in the system will use the ciphersuits you specified.
For example, appending these lines...
openssl_conf = default_conf
[default_conf]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
Ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
After changing it, you'll see the new global default,
$ openssl ciphers -v ''
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD
The path to global openssl.cnf is usually OPENSSLDIR, which can be obtained by...
$ openssl version -a | grep OPENSSLDIR
OPENSSLDIR: "/etc/ssl"
''
goes no where. what a mess.
Oh, it's openssl ciphers
NOT
openssl cipher
don't get that mixed up.
root@zmctankhome:/etc/ssl# openssl ciphers -ciphersuites -help
Error setting TLSv1.3 ciphersuites
140089759171712:error:1426E0B9:SSL routines:ciphersuite_cb:no cipher match:../ssl/ssl_ciph.c:1294:
that didn't go anywhere on a search.
goal: disable openssl cipher (i.e. just one)
lots of dead ends
https://stackoverflow.com/questions/29162982/how-do-i-disable-a-particular-cipher-suite-in-openssl
only for c code
https://serverfault.com/questions/951775/disable-weak-cipher-ubuntu-16
is only for apache and ssh (poor subject title - misleading).
https://serverfault.com/questions/918082/openssl-disable-tlsv1-and-certain-insecure-ciphers-system-wide
here they recommend application specific files.
no rule tht says there cant be a global. smwisicdt
bullshit.
man msmtp
- An SMTP client
has tls priorities.
that should work. considered solved.