You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
108 lines
3.2 KiB
108 lines
3.2 KiB
todo: find way to choose preferred encryption
|
|
|
|
openssl has a command (at bottom of man)
|
|
cipher
|
|
man cipher:
|
|
|
|
EXAMPLES
|
|
Verbose listing of all OpenSSL ciphers including NULL ciphers:
|
|
|
|
openssl ciphers -v 'ALL:eNULL'
|
|
|
|
Include all ciphers except NULL and anonymous DH then sort by strength:
|
|
|
|
openssl ciphers -v 'ALL:!ADH:@STRENGTH'
|
|
|
|
Include all ciphers except ones with no encryption (eNULL) or no authentication (aNULL):
|
|
|
|
openssl ciphers -v 'ALL:!aNULL'
|
|
|
|
Include only 3DES ciphers and then place RSA ciphers last:
|
|
|
|
openssl ciphers -v '3DES:+RSA'
|
|
|
|
Include all RC4 ciphers but leave out those without authentication:
|
|
|
|
openssl ciphers -v 'RC4:!COMPLEMENTOFDEFAULT'
|
|
|
|
Include all ciphers with RSA authentication but leave out ciphers without encryption.
|
|
|
|
openssl ciphers -v 'RSA:!COMPLEMENTOFALL'
|
|
|
|
Set security level to 2 and display all ciphers consistent with level 2:
|
|
|
|
openssl ciphers -s -v 'ALL:@SECLEVEL=2'
|
|
|
|
|
|
digging deeper:
|
|
|
|
https://github.com/openssl/openssl/issues/7562
|
|
|
|
|
|
|
|
|
|
''
|
|
|
|
To everyone who is reading this issue: OpenSSL 1.1 uses an independent, new interface to set ciphersuits for TLSv1.3, the old ciphersuits interface is only effective up to TLSv1.2, so changing it has no effect for TLSv1.3. And as currently almost no application has adopted the new interface, there is no way to change ciphersuits for TLSv1.3.
|
|
|
|
But there is a workaround: you can change the global openssl.cnf to modify the default TLSv1.3 ciphersuits for OpenSSL itself, so every program in the system will use the ciphersuits you specified.
|
|
|
|
For example, appending these lines...
|
|
|
|
openssl_conf = default_conf
|
|
|
|
[default_conf]
|
|
ssl_conf = ssl_sect
|
|
|
|
[ssl_sect]
|
|
system_default = system_default_sect
|
|
|
|
[system_default_sect]
|
|
Ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
|
|
|
|
After changing it, you'll see the new global default,
|
|
|
|
$ openssl ciphers -v ''
|
|
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD
|
|
TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
|
|
TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD
|
|
|
|
The path to global openssl.cnf is usually OPENSSLDIR, which can be obtained by...
|
|
|
|
$ openssl version -a | grep OPENSSLDIR
|
|
OPENSSLDIR: "/etc/ssl"
|
|
''
|
|
|
|
|
|
goes no where. what a mess.
|
|
Oh, it's openssl ciphers
|
|
NOT
|
|
openssl cipher
|
|
don't get that mixed up.
|
|
|
|
root@zmctankhome:/etc/ssl# openssl ciphers -ciphersuites -help
|
|
Error setting TLSv1.3 ciphersuites
|
|
140089759171712:error:1426E0B9:SSL routines:ciphersuite_cb:no cipher match:../ssl/ssl_ciph.c:1294:
|
|
|
|
|
|
that didn't go anywhere on a search.
|
|
|
|
goal: disable openssl cipher (i.e. just one)
|
|
|
|
lots of dead ends
|
|
https://stackoverflow.com/questions/29162982/how-do-i-disable-a-particular-cipher-suite-in-openssl
|
|
only for c code
|
|
https://serverfault.com/questions/951775/disable-weak-cipher-ubuntu-16
|
|
is only for apache and ssh (poor subject title - misleading).
|
|
|
|
https://serverfault.com/questions/918082/openssl-disable-tlsv1-and-certain-insecure-ciphers-system-wide
|
|
here they recommend application specific files.
|
|
no rule tht says there cant be a global. smwisicdt
|
|
bullshit.
|
|
|
|
man msmtp
|
|
- An SMTP client
|
|
has tls priorities.
|
|
|
|
that should work. considered solved.
|
|
|