Re: Listing TLS 1.3 Ciphers
On 10/04/2019 22:06, Richard Moore wrote: > They also don't appear if you explicitly try to list 'All' which is what I > found > surprising. "ALL" is a TLSv1.2 cipherstring and has no impact on the TLSv1.3 ciphersuite selection. The two sets of ciphersuites are configured separately. On 11/04/2019 00:06, Michael Richardson wrote: > I think that those are the ones that constrained devices prefer, > such as ECDHE-ECDSA-AES128-CCM8? > So is there a way to validate that they are available, that there were > compiled in? You can get "openssl ciphers" to show them if you explicitly ask for them, i.e. $ openssl ciphers -v -ciphersuites "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_128_CCM_8_SHA256" | grep "TLSv1.3" TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD TLS_AES_128_CCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESCCM(128) Mac=AEAD TLS_AES_128_CCM_8_SHA256 TLSv1.3 Kx=any Au=any Enc=AESCCM8(128) Mac=AEAD Matt
Re: Listing TLS 1.3 Ciphers
Benjamin Kaduk via openssl-users wrote: >> Very odd. I thought that there were more at one point. > The ones with truncated (8-byte) authentication tag are not intended > for general use and don't make it into the default list. I think that those are the ones that constrained devices prefer, such as ECDHE-ECDSA-AES128-CCM8? So is there a way to validate that they are available, that there were compiled in? -- Michael Richardson , Sandelman Software Works -= IPv6 IoT consulting =- signature.asc Description: PGP signature
Re: Listing TLS 1.3 Ciphers
On Wed, 10 Apr 2019 at 17:25, Benjamin Kaduk via openssl-users < openssl-users@openssl.org> wrote: > On Wed, Apr 10, 2019 at 12:13:27PM -0400, Dennis Clarke wrote: > > > Very odd. I thought that there were more at one point. > > The ones with truncated (8-byte) authentication tag are not intended for > general use and don't make it into the default list. > They also don't appear if you explicitly try to list 'All' which is what I found surprising. Rich > -Ben >
Re: Listing TLS 1.3 Ciphers
The ones with truncated (8-byte) authentication tag are not intended for general use and don't make it into the default list. There must be a Configuration option in 10-main.conf to enable them also? Dennis
Re: Listing TLS 1.3 Ciphers
On Wed, Apr 10, 2019 at 12:13:27PM -0400, Dennis Clarke wrote: > On 4/10/19 7:37 AM, Richard Moore wrote: > >Hi All, > > > >I haven't found a way to list the supported openssl ciphers from the > >command line (i.e. get the list of potential values for -ciphersuites). I > >understand that currently there are only 5 options however this could > >change over time, so I wanted to avoid hard coding the list in a script. > >Am I missing something? > > > >Thanks > > > >Rich > > Strangely I only see three : > > nix$ openssl version > OpenSSL 1.1.1b 26 Feb 2019 > nix$ openssl ciphers -V -tls1_3 -s > 0x13,0x02 - TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any > Enc=AESGCM(256) Mac=AEAD > 0x13,0x03 - TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any > Enc=CHACHA20/POLY1305(256) Mac=AEAD > 0x13,0x01 - TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any > Enc=AESGCM(128) Mac=AEAD > nix$ > > Very odd. I thought that there were more at one point. The ones with truncated (8-byte) authentication tag are not intended for general use and don't make it into the default list. -Ben
Re: Listing TLS 1.3 Ciphers
On 10/04/2019 17:13, Dennis Clarke wrote: > On 4/10/19 7:37 AM, Richard Moore wrote: >> Hi All, >> >> I haven't found a way to list the supported openssl ciphers from the command >> line (i.e. get the list of potential values for -ciphersuites). I understand >> that currently there are only 5 options however this could change over time, >> so I wanted to avoid hard coding the list in a script. Am I missing >> something? >> >> Thanks >> >> Rich > > Strangely I only see three : > > nix$ openssl version > OpenSSL 1.1.1b 26 Feb 2019 > nix$ openssl ciphers -V -tls1_3 -s > 0x13,0x02 - TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any > Enc=AESGCM(256) Mac=AEAD > 0x13,0x03 - TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any > Enc=CHACHA20/POLY1305(256) Mac=AEAD > 0x13,0x01 - TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any > Enc=AESGCM(128) Mac=AEAD > nix$ > > Very odd. I thought that there were more at one point. > There are 5 but only 3 are enabled by default. I'm not sure it is possible to get "openssl ciphers" to list all of the ones it knows about. You have to explicitly list them in the "-ciphersuites" option. Probably we should add that capability. Matt
Re: Listing TLS 1.3 Ciphers
On 4/10/19 7:37 AM, Richard Moore wrote: Hi All, I haven't found a way to list the supported openssl ciphers from the command line (i.e. get the list of potential values for -ciphersuites). I understand that currently there are only 5 options however this could change over time, so I wanted to avoid hard coding the list in a script. Am I missing something? Thanks Rich Strangely I only see three : nix$ openssl version OpenSSL 1.1.1b 26 Feb 2019 nix$ openssl ciphers -V -tls1_3 -s 0x13,0x02 - TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD 0x13,0x03 - TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD 0x13,0x01 - TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD nix$ Very odd. I thought that there were more at one point.
Listing TLS 1.3 Ciphers
Hi All, I haven't found a way to list the supported openssl ciphers from the command line (i.e. get the list of potential values for -ciphersuites). I understand that currently there are only 5 options however this could change over time, so I wanted to avoid hard coding the list in a script. Am I missing something? Thanks Rich