Thank you very much, Dave, for the answer and detailed explanation. And just one question. Is there any possibility to set different cipher suits for different versions of TLS?
For example, I want to exclude RC4 cipher suits wholly for TLS 1.2/1.1 and leave them only for <=TLS 1.0 The reason is the same BEAST. But if we have only one string with cipher suits we can't do this because we need RC4 for TLS 1.0 and lower. 2013/12/24 Dave Thompson <dthomp...@prinpay.com>: > The RFC only says the server “select[s]” from the ClientHello list. > > There are two obvious ways, and openssl implements both. > > “client preference” – server chooses the first entry in the client’s list > > that the server can support > > “server preference” – server chooses the first entry in its own list > > that the client offers > > libssl server by default does client preference but does server preference > > if you set option CIPHER_SERVER_PREFERENCE. Some applications using > > openssl can do this, notably apache httpd,and during the BEAST furor one > > widely recommended response was to configure httpd to prefer RC4. > > (Now RC4 seems to be threatened while BEAST has been mitigated > > client side, and this is no longer such a good idea.) > > > > Other algorithms, such as randomly choosing a suite common to client > > and server (if there are more than one) would be legal, but silly. > > > > TLSv1.2 as a protocol can support all suites implemented by openssl. > > A given suite will be used only if implemented and (where applicable) > > configured on both the client and server. In particular, libssl server > > will agree a suite that uses RSA only if an RSA cert&key is configured, > > similarly for DSS, and for ECC only if a cert&key is configured *and* > > it uses a curve and format agreed by the client. DH* and ECDH* suites > > also require that suitable ‘temporary’ parameters (or optionally keys) > > be available – through 1.0.1 either configured or via a callback. > > (1.0.2 will apparently add new options?) Similarly PSK suites > > require PSK data is configured. Note that ECC, PSK, SRP, GCM, Camellia, > > SEED and ARIA suites are separate options not in the base RFC > > and thus a peer system can implement “TLS” without them. > > > > TLSv1.1 and lower cannot support the suites labelled TLSv1.2. > > TLSv1.1 and TLSv1.0, and in openssl SSLv3, can support all suites labelled > > SSLv3, subject to the same conditions above. Technically the RFCs for > > ECC, PSK, SRP, and ciphers newer than 3DES only apply to TLS, because > > SSLv3 (and v2) weren’t IETF standards. openssl does implement them > > on SSLv3 if the peer agrees, but given the timeline I doubt > > any peer does except maybe AES. > > > > Thus to answer your later question, ECDHE-(RSA,ECDSA)-RC4 > > is officially supported for TLSv1.0,1.1,1.2 if RFC 4492 is (also) > > implemented, and for openssl server can be chosen if it has > > an appropriate key&cert and temporary parameters/key. > > openssl can also do them on SSLv3 but others might not. > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
