diff options
Diffstat (limited to 'crypto/openssl/doc/apps/ciphers.pod')
-rw-r--r-- | crypto/openssl/doc/apps/ciphers.pod | 50 |
1 files changed, 49 insertions, 1 deletions
diff --git a/crypto/openssl/doc/apps/ciphers.pod b/crypto/openssl/doc/apps/ciphers.pod index 2107761..81a2c43 100644 --- a/crypto/openssl/doc/apps/ciphers.pod +++ b/crypto/openssl/doc/apps/ciphers.pod @@ -108,10 +108,20 @@ the default cipher list. This is determined at compile time and is normally B<ALL:!ADH:RC4+RSA:+SSLv2:@STRENGTH>. This must be the first cipher string specified. +=item B<COMPLEMENTOFDEFAULT> + +the ciphers included in B<ALL>, but not enabled by default. Currently +this is B<ADH>. Note that this rule does not cover B<eNULL>, which is +not included by B<ALL> (use B<COMPLEMENTOFALL> if necessary). + =item B<ALL> all ciphers suites except the B<eNULL> ciphers which must be explicitly enabled. +=item B<COMPLEMENTOFALL> + +the cipher suites not enabled by B<ALL>, currently being B<eNULL>. + =item B<HIGH> "high" encryption cipher suites. This currently means those with key lengths larger @@ -193,6 +203,10 @@ cipher suites using DH, including anonymous DH. anonymous DH cipher suites. +=item B<AES> + +cipher suites using AES. + =item B<3DES> cipher suites using triple DES. @@ -226,7 +240,9 @@ cipher suites using SHA1. =head1 CIPHER SUITE NAMES The following lists give the SSL or TLS cipher suites names from the -relevant specification and their OpenSSL equivalents. +relevant specification and their OpenSSL equivalents. It should be noted, +that several cipher suite names do not include the authentication used, +e.g. DES-CBC3-SHA. In these cases, RSA authentication is used. =head2 SSL v3.0 cipher suites. @@ -296,6 +312,24 @@ relevant specification and their OpenSSL equivalents. TLS_DH_anon_WITH_DES_CBC_SHA ADH-DES-CBC-SHA TLS_DH_anon_WITH_3DES_EDE_CBC_SHA ADH-DES-CBC3-SHA +=head2 AES ciphersuites from RFC3268, extending TLS v1.0 + + TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA + TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA + + TLS_DH_DSS_WITH_AES_128_CBC_SHA DH-DSS-AES128-SHA + TLS_DH_DSS_WITH_AES_256_CBC_SHA DH-DSS-AES256-SHA + TLS_DH_RSA_WITH_AES_128_CBC_SHA DH-RSA-AES128-SHA + TLS_DH_RSA_WITH_AES_256_CBC_SHA DH-RSA-AES256-SHA + + TLS_DHE_DSS_WITH_AES_128_CBC_SHA DHE-DSS-AES128-SHA + TLS_DHE_DSS_WITH_AES_256_CBC_SHA DHE-DSS-AES256-SHA + TLS_DHE_RSA_WITH_AES_128_CBC_SHA DHE-RSA-AES128-SHA + TLS_DHE_RSA_WITH_AES_256_CBC_SHA DHE-RSA-AES256-SHA + + TLS_DH_anon_WITH_AES_128_CBC_SHA ADH-AES128-SHA + TLS_DH_anon_WITH_AES_256_CBC_SHA ADH-AES256-SHA + =head2 Additional Export 1024 and other cipher suites Note: these ciphers can also be used in SSL v3. @@ -339,8 +373,22 @@ Include only 3DES ciphers and then place RSA ciphers last: openssl ciphers -v '3DES:+RSA' +Include all RC4 ciphers but leave out those without authentication: + + openssl ciphers -v 'RC4:!COMPLEMENTOFDEFAULT' + +Include all chiphers with RSA authentication but leave out ciphers without +encryption. + + openssl ciphers -v 'RSA:!COMPLEMENTOFALL' + =head1 SEE ALSO L<s_client(1)|s_client(1)>, L<s_server(1)|s_server(1)>, L<ssl(3)|ssl(3)> +=head1 HISTORY + +The B<COMPLENTOFALL> and B<COMPLEMENTOFDEFAULT> selection options were +added in version 0.9.7. + =cut |