diff options
Diffstat (limited to 'secure/usr.bin/openssl/man/ciphers.1')
-rw-r--r-- | secure/usr.bin/openssl/man/ciphers.1 | 62 |
1 files changed, 36 insertions, 26 deletions
diff --git a/secure/usr.bin/openssl/man/ciphers.1 b/secure/usr.bin/openssl/man/ciphers.1 index d7fd3e2..2d3f818 100644 --- a/secure/usr.bin/openssl/man/ciphers.1 +++ b/secure/usr.bin/openssl/man/ciphers.1 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "CIPHERS 1" -.TH CIPHERS 1 "2016-01-28" "1.0.1r" "OpenSSL" +.TH CIPHERS 1 "2016-03-01" "1.0.1s" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -168,21 +168,18 @@ in a cipher list; this is when similar ciphers are available for .IP "\fB\-V\fR" 4 .IX Item "-V" Like \fB\-v\fR, but include cipher suite codes in output (hex format). -.IP "\fB\-ssl3\fR" 4 -.IX Item "-ssl3" -only include \s-1SSL\s0 v3 ciphers. +.IP "\fB\-ssl3\fR, \fB\-tls1\fR" 4 +.IX Item "-ssl3, -tls1" +This lists ciphers compatible with any of SSLv3, TLSv1, TLSv1.1 or TLSv1.2. .IP "\fB\-ssl2\fR" 4 .IX Item "-ssl2" -only include \s-1SSL\s0 v2 ciphers. -.IP "\fB\-tls1\fR" 4 -.IX Item "-tls1" -only include \s-1TLS\s0 v1 ciphers. +Only include SSLv2 ciphers. .IP "\fB\-h\fR, \fB\-?\fR" 4 .IX Item "-h, -?" -print a brief usage message. +Print a brief usage message. .IP "\fBcipherlist\fR" 4 .IX Item "cipherlist" -a cipher list to convert to a cipher preference list. If it is not included +A cipher list to convert to a cipher preference list. If it is not included then the default cipher list will be used. The format is described below. .SH "CIPHER LIST FORMAT" .IX Header "CIPHER LIST FORMAT" @@ -228,9 +225,10 @@ the current cipher list in order of encryption algorithm key length. The following is a list of all permitted cipher strings and their meanings. .IP "\fB\s-1DEFAULT\s0\fR" 4 .IX Item "DEFAULT" -the default cipher list. This is determined at compile time and -is normally \fB\s-1ALL:\s0!EXPORT:!aNULL:!eNULL:!SSLv2\fR. This must be the firstcipher string -specified. +The default cipher list. +This is determined at compile time and is normally +\&\fB\s-1ALL:\s0!EXPORT:!aNULL:!eNULL:!SSLv2\fR. +When used, this must be the first cipherstring specified. .IP "\fB\s-1COMPLEMENTOFDEFAULT\s0\fR" 4 .IX Item "COMPLEMENTOFDEFAULT" the ciphers included in \fB\s-1ALL\s0\fR, but not enabled by default. Currently @@ -252,29 +250,41 @@ than 128 bits, and some cipher suites with 128\-bit keys. \&\*(L"medium\*(R" encryption cipher suites, currently some of those using 128 bit encryption. .IP "\fB\s-1LOW\s0\fR" 4 .IX Item "LOW" -\&\*(L"low\*(R" encryption cipher suites, currently those using 64 or 56 bit encryption algorithms -but excluding export cipher suites. +Low strength encryption cipher suites, currently those using 64 or 56 bit +encryption algorithms but excluding export cipher suites. +As of OpenSSL 1.0.1s, these are disabled in default builds. .IP "\fB\s-1EXP\s0\fR, \fB\s-1EXPORT\s0\fR" 4 .IX Item "EXP, EXPORT" -export encryption algorithms. Including 40 and 56 bits algorithms. +Export strength encryption algorithms. Including 40 and 56 bits algorithms. +As of OpenSSL 1.0.1s, these are disabled in default builds. .IP "\fB\s-1EXPORT40\s0\fR" 4 .IX Item "EXPORT40" -40 bit export encryption algorithms +40\-bit export encryption algorithms +As of OpenSSL 1.0.1s, these are disabled in default builds. .IP "\fB\s-1EXPORT56\s0\fR" 4 .IX Item "EXPORT56" -56 bit export encryption algorithms. In OpenSSL 0.9.8c and later the set of +56\-bit export encryption algorithms. In OpenSSL 0.9.8c and later the set of 56 bit export ciphers is empty unless OpenSSL has been explicitly configured with support for experimental ciphers. +As of OpenSSL 1.0.1s, these are disabled in default builds. .IP "\fBeNULL\fR, \fB\s-1NULL\s0\fR" 4 .IX Item "eNULL, NULL" -the \*(L"\s-1NULL\*(R"\s0 ciphers that is those offering no encryption. Because these offer no -encryption at all and are a security risk they are disabled unless explicitly -included. +The \*(L"\s-1NULL\*(R"\s0 ciphers that is those offering no encryption. Because these offer no +encryption at all and are a security risk they are not enabled via either the +\&\fB\s-1DEFAULT\s0\fR or \fB\s-1ALL\s0\fR cipher strings. +Be careful when building cipherlists out of lower-level primitives such as +\&\fBkRSA\fR or \fBaECDSA\fR as these do overlap with the \fBeNULL\fR ciphers. +When in doubt, include \fB!eNULL\fR in your cipherlist. .IP "\fBaNULL\fR" 4 .IX Item "aNULL" -the cipher suites offering no authentication. This is currently the anonymous +The cipher suites offering no authentication. This is currently the anonymous \&\s-1DH\s0 algorithms and anonymous \s-1ECDH\s0 algorithms. These cipher suites are vulnerable to a \*(L"man in the middle\*(R" attack and so their use is normally discouraged. +These are excluded from the \fB\s-1DEFAULT\s0\fR ciphers, but included in the \fB\s-1ALL\s0\fR +ciphers. +Be careful when building cipherlists out of lower-level primitives such as +\&\fBkDHE\fR or \fB\s-1AES\s0\fR as these do overlap with the \fBaNULL\fR ciphers. +When in doubt, include \fB!aNULL\fR in your cipherlist. .IP "\fBkRSA\fR, \fB\s-1RSA\s0\fR" 4 .IX Item "kRSA, RSA" cipher suites using \s-1RSA\s0 key exchange. @@ -650,11 +660,11 @@ Note: these ciphers can also be used in \s-1SSL\s0 v3. .IX Subsection "Deprecated SSL v2.0 cipher suites." .Vb 7 \& SSL_CK_RC4_128_WITH_MD5 RC4\-MD5 -\& SSL_CK_RC4_128_EXPORT40_WITH_MD5 EXP\-RC4\-MD5 -\& SSL_CK_RC2_128_CBC_WITH_MD5 RC2\-MD5 -\& SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 EXP\-RC2\-MD5 +\& SSL_CK_RC4_128_EXPORT40_WITH_MD5 Not implemented. +\& SSL_CK_RC2_128_CBC_WITH_MD5 RC2\-CBC\-MD5 +\& SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 Not implemented. \& SSL_CK_IDEA_128_CBC_WITH_MD5 IDEA\-CBC\-MD5 -\& SSL_CK_DES_64_CBC_WITH_MD5 DES\-CBC\-MD5 +\& SSL_CK_DES_64_CBC_WITH_MD5 Not implemented. \& SSL_CK_DES_192_EDE3_CBC_WITH_MD5 DES\-CBC3\-MD5 .Ve .SH "NOTES" |