On Tue, Oct 22, 2019 at 05:37:14PM -0400, J Doe wrote: > > On Oct 22, 2019, at 1:18 AM, Viktor Dukhovni <postfix-us...@dukhovni.org> > > wrote: > > > > $ openssl ciphers -stdname -s -tls1 -V AES256-SHA > > 0x00,0x35 - TLS_RSA_WITH_AES_256_CBC_SHA - AES256-SHA SSLv3 > > Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 > > Ah, cool - I did not realize I could use the openssl command to “translate” > the string that way. > > I see the AES mode, now, but I still can’t see whether DH/DHE/ECDHE was > used for negotiation (or am I missing that in the output) ?
You see them not used. Kx=RSA. See ciphers(1): -v Verbose output: For each cipher suite, list details as provided by SSL_CIPHER_description(3). SSL_CIPHER_description(3): ... SSL_CIPHER_get_kx_nid() returns the key exchange NID corresponding to the method used by c. If there is no key exchange, then NID_undef is returned. If any appropriate key exchange algorithm can be used (as in the case of TLS 1.3 cipher suites) NID_kx_any is returned. Examples (not comprehensive): NID_kx_rsa NID_kx_ecdhe NID_kx_dhe NID_kx_psk ... The string returned by SSL_CIPHER_description() consists of several fields separated by whitespace: <ciphername> Textual representation of the cipher name. <protocol version> The minimum protocol version that the ciphersuite supports, such as TLSv1.2. Note that this is not always the same as the protocol version in which the ciphersuite was first defined because some ciphersuites are backwards compatible with earlier protocol versions. Kx=<key exchange> Key exchange method such as RSA, ECDHE, etc. Au=<authentication> Authentication method such as RSA, None, etc.. None is the representation of anonymous ciphers. Enc=<symmetric encryption method> Encryption method, with number of secret bits, such as AESGCM(128). Mac=<message authentication code> Message digest, such as SHA256. Some examples for the output of SSL_CIPHER_description(): ECDHE-RSA-AES256-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD RSA-PSK-AES256-CBC-SHA384 TLSv1.0 Kx=RSAPSK Au=RSA Enc=AES(256) Mac=SHA384 -- Viktor.