Steve, Thanks for the answer.
What I meant by TLSv1.1+ was a way to show only TLSv1.1 and TLSv1.2 ciphers in order to get a result as the one below. -bash-3.2$ ./openssl ciphers -v 'ALL' | grep "TLSv1.2" ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384 ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384 DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(256) Mac=AEAD DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD ADH-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=None Enc=AESGCM(256) Mac=AEAD ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD ECDH-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256) Mac=SHA384 ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256) Mac=SHA384 AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256 ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256 DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(128) Mac=AEAD DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD ADH-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=None Enc=AESGCM(128) Mac=AEAD ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128) Mac=AEAD ECDH-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128) Mac=AEAD ECDH-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128) Mac=SHA256 ECDH-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128) Mac=SHA256 AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD What I was looking for was a way to have apache HTTPD propose all TLSv1.2 ciphers and then other ciphers (like RC4 and HIGH) without having to explicitly name the TLSv1.2 related ciphers in the SSLCipherSuite directive. If I use "AESGCM", I still miss 8 out of the 24 available ciphers. Martin -----Message d'origine----- De : owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] De la part de Dr. Stephen Henson Envoyé : lundi 26 mars 2012 18:25 À : openssl-users@openssl.org Objet : Re: OpenSSL 1.0.1 and TLSv1.2 On Mon, Mar 26, 2012, KUTILEK Martin wrote: > Hi, > > I am doing some testing with openssl 1.0.1 and I am trying to find the > proper syntax to display only TLSv1.1+ ciphers. > > When I look in ./ssl/ssl.h, I see > #define SSL_TXT_TLSV1_2 "TLSv1.2" > but what ever I try, I always get: > Error in cipher list > error:140E6118:SSL routines:SSL_CIPHER_PROCESS_RULESTR:invalid > command:ssl_ciph.c:1164: > > -bash-3.2$ ./openssl version > OpenSSL 1.0.1 14 Mar 2012 > > -bash-3.2$ ./openssl ciphers -v 'TLSv1.2' > Error in cipher list > 3086808716:error:140E6118:SSL > routines:SSL_CIPHER_PROCESS_RULESTR:invalid command:ssl_ciph.c:1164: > > -bash-3.2$ ./openssl ciphers -v "TLSv1.2" > Error in cipher list > 3086939788:error:140E6118:SSL > routines:SSL_CIPHER_PROCESS_RULESTR:invalid command:ssl_ciph.c:1164: > > -bash-3.2$ ./openssl ciphers -v -TLS1.2 > Error in cipher list > 3086755468:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher > match:ssl_lib.c:1312: > > -bash-3.2$ ./openssl ciphers -v -tls1.2 > Error in cipher list > 3086632588:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher > match:ssl_lib.c:1312: > > -bash-3.2$ ./openssl ciphers -v -tls1_2 > Error in cipher list > 3086866060:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher > match:ssl_lib.c:1312: > > Any help would be really appreciated. > Currently there isn't an option to do that. What do you mean by "only TLSv1.1+ ciphers"? There are no ciphersuites that can only be used with TLS v1.1 (i.e. exist in TLS v1.1 but not TLS 1.0 or earlier) and currently only the AES GCM ciphersuites are the ones exclusive to TLS v1.2. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ____ This message and any files transmitted with it are legally privileged and intended for the sole use of the individual(s) or entity to whom they are addressed. If you are not the intended recipient, please notify the sender by reply and delete the message and any attachments from your system. Any unauthorised use or disclosure of the content of this message is strictly prohibited and may be unlawful. Nothing in this e-mail message amounts to a contractual or legal commitment on the part of EUROCONTROL, unless it is confirmed by appropriately signed hard copy. Any views expressed in this message are those of the sender. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
