On Tue, Aug 01, 2017 at 11:41:42PM +0000, Viktor Dukhovni wrote: > To see what you'd get for a particular protocol version: > > $ /opt/openssl/1.1.0/bin/openssl ciphers -s -tls1 -V > 'CHACHA20:!aRSA:!aDSA:!PSK' > $ /opt/openssl/1.1.0/bin/openssl ciphers -s -tls1_1 -V > 'CHACHA20:!aRSA:!aDSA:!PSK' > $ /opt/openssl/1.1.0/bin/openssl ciphers -s -tls1_2 -V > 'CHACHA20:!aRSA:!aDSA:!PSK' > 0xCC,0xA9 - ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH > Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
For the record, that "!aDSA" should have been "!aDSS", though it makes little difference in this example as no DSA (aka DSS) CHACHA algorithms exist and none are likely to ever be added. You can check with "openssl ciphers -v aDSS" vs. "openssl ciphers -v aDSA". -- Viktor.