diff options
Diffstat (limited to 'secure/usr.bin/openssl/man/ciphers.1')
| -rw-r--r-- | secure/usr.bin/openssl/man/ciphers.1 | 130 |
1 files changed, 66 insertions, 64 deletions
diff --git a/secure/usr.bin/openssl/man/ciphers.1 b/secure/usr.bin/openssl/man/ciphers.1 index 80e8138..b539f13 100644 --- a/secure/usr.bin/openssl/man/ciphers.1 +++ b/secure/usr.bin/openssl/man/ciphers.1 @@ -1,8 +1,7 @@ -.\" Automatically generated by Pod::Man version 1.15 -.\" Wed Feb 19 16:49:31 2003 +.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14 .\" .\" Standard preamble: -.\" ====================================================================== +.\" ======================================================================== .de Sh \" Subsection heading .br .if t .Sp @@ -15,12 +14,6 @@ .if t .sp .5v .if n .sp .. -.de Ip \" List item -.br -.ie \\n(.$>=3 .ne \\$3 -.el .ne 3 -.IP "\\$1" \\$2 -.. .de Vb \" Begin verbatim text .ft CW .nf @@ -28,15 +21,14 @@ .. .de Ve \" End verbatim text .ft R - .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. | will give a -.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used -.\" to do unbreakable dashes and therefore won't be available. \*(C` and -.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> +.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used to +.\" do unbreakable dashes and therefore won't be available. \*(C` and \*(C' +.\" expand to `' in nroff, nothing in troff, for use with C<>. .tr \(*W-|\(bv\*(Tr .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ @@ -56,10 +48,10 @@ . ds R" '' 'br\} .\" -.\" If the F register is turned on, we'll generate index entries on stderr -.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and -.\" index entries marked with X<> in POD. Of course, you'll have to process -.\" the output yourself in some meaningful fashion. +.\" If the F register is turned on, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. .if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" @@ -68,14 +60,13 @@ . rr F .\} .\" -.\" For nroff, turn off justification. Always turn off hyphenation; it -.\" makes way too many mistakes in technical documents. +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. .hy 0 .if n .na .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. -.bd B 3 . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 @@ -135,13 +126,12 @@ . ds Ae AE .\} .rm #[ #] #H #V #F C -.\" ====================================================================== +.\" ======================================================================== .\" .IX Title "CIPHERS 1" -.TH CIPHERS 1 "0.9.7a" "2003-02-19" "OpenSSL" -.UC +.TH CIPHERS 1 "2005-02-25" "0.9.7d" "OpenSSL" .SH "NAME" -ciphers \- \s-1SSL\s0 cipher display and cipher list tool. +ciphers \- SSL cipher display and cipher list tool. .SH "SYNOPSIS" .IX Header "SYNOPSIS" \&\fBopenssl\fR \fBciphers\fR @@ -157,7 +147,7 @@ The \fBcipherlist\fR command converts OpenSSL cipher lists into ordered the appropriate cipherlist. .SH "COMMAND OPTIONS" .IX Header "COMMAND OPTIONS" -.Ip "\fB\-v\fR" 4 +.IP "\fB\-v\fR" 4 .IX Item "-v" verbose option. List ciphers with a complete description of protocol version (SSLv2 or SSLv3; the latter includes \s-1TLS\s0), key exchange, @@ -166,19 +156,19 @@ restrictions and whether the algorithm is classed as an \*(L"export\*(R" cipher. Note that without the \fB\-v\fR option, ciphers may seem to appear twice in a cipher list; this is when similar ciphers are available for \&\s-1SSL\s0 v2 and for \s-1SSL\s0 v3/TLS v1. -.Ip "\fB\-ssl3\fR" 4 +.IP "\fB\-ssl3\fR" 4 .IX Item "-ssl3" only include \s-1SSL\s0 v3 ciphers. -.Ip "\fB\-ssl2\fR" 4 +.IP "\fB\-ssl2\fR" 4 .IX Item "-ssl2" only include \s-1SSL\s0 v2 ciphers. -.Ip "\fB\-tls1\fR" 4 +.IP "\fB\-tls1\fR" 4 .IX Item "-tls1" only include \s-1TLS\s0 v1 ciphers. -.Ip "\fB\-h\fR, \fB\-?\fR" 4 +.IP "\fB\-h\fR, \fB\-?\fR" 4 .IX Item "-h, -?" print a brief usage message. -.Ip "\fBcipherlist\fR" 4 +.IP "\fBcipherlist\fR" 4 .IX Item "cipherlist" a cipher list to convert to a cipher preference list. If it is not included then the default cipher list will be used. The format is described below. @@ -202,13 +192,13 @@ Lists of cipher suites can be combined in a single cipher string using the algorithms. .PP Each cipher string can be optionally preceded by the characters \fB!\fR, -\&\fB-\fR or \fB+\fR. +\&\fB\-\fR or \fB+\fR. .PP If \fB!\fR is used then the ciphers are permanently deleted from the list. The ciphers deleted can never reappear in the list even if they are explicitly stated. .PP -If \fB-\fR is used then the ciphers are deleted from the list, but some or +If \fB\-\fR is used then the ciphers are deleted from the list, but some or all of the ciphers can be added again by later options. .PP If \fB+\fR is used then the ciphers are moved to the end of the list. This @@ -224,107 +214,107 @@ the current cipher list in order of encryption algorithm key length. .SH "CIPHER STRINGS" .IX Header "CIPHER STRINGS" The following is a list of all permitted cipher strings and their meanings. -.Ip "\fB\s-1DEFAULT\s0\fR" 4 +.IP "\fB\s-1DEFAULT\s0\fR" 4 .IX Item "DEFAULT" the default cipher list. This is determined at compile time and is normally \&\fB\s-1ALL:\s0!ADH:RC4+RSA:+SSLv2:@STRENGTH\fR. This must be the first cipher string specified. -.Ip "\fB\s-1COMPLEMENTOFDEFAULT\s0\fR" 4 +.IP "\fB\s-1COMPLEMENTOFDEFAULT\s0\fR" 4 .IX Item "COMPLEMENTOFDEFAULT" the ciphers included in \fB\s-1ALL\s0\fR, but not enabled by default. Currently this is \fB\s-1ADH\s0\fR. Note that this rule does not cover \fBeNULL\fR, which is not included by \fB\s-1ALL\s0\fR (use \fB\s-1COMPLEMENTOFALL\s0\fR if necessary). -.Ip "\fB\s-1ALL\s0\fR" 4 +.IP "\fB\s-1ALL\s0\fR" 4 .IX Item "ALL" all ciphers suites except the \fBeNULL\fR ciphers which must be explicitly enabled. -.Ip "\fB\s-1COMPLEMENTOFALL\s0\fR" 4 +.IP "\fB\s-1COMPLEMENTOFALL\s0\fR" 4 .IX Item "COMPLEMENTOFALL" the cipher suites not enabled by \fB\s-1ALL\s0\fR, currently being \fBeNULL\fR. -.Ip "\fB\s-1HIGH\s0\fR" 4 +.IP "\fB\s-1HIGH\s0\fR" 4 .IX Item "HIGH" \&\*(L"high\*(R" encryption cipher suites. This currently means those with key lengths larger than 128 bits. -.Ip "\fB\s-1MEDIUM\s0\fR" 4 +.IP "\fB\s-1MEDIUM\s0\fR" 4 .IX Item "MEDIUM" \&\*(L"medium\*(R" encryption cipher suites, currently those using 128 bit encryption. -.Ip "\fB\s-1LOW\s0\fR" 4 +.IP "\fB\s-1LOW\s0\fR" 4 .IX Item "LOW" \&\*(L"low\*(R" encryption cipher suites, currently those using 64 or 56 bit encryption algorithms but excluding export cipher suites. -.Ip "\fB\s-1EXP\s0\fR, \fB\s-1EXPORT\s0\fR" 4 +.IP "\fB\s-1EXP\s0\fR, \fB\s-1EXPORT\s0\fR" 4 .IX Item "EXP, EXPORT" export encryption algorithms. Including 40 and 56 bits algorithms. -.Ip "\fB\s-1EXPORT40\s0\fR" 4 +.IP "\fB\s-1EXPORT40\s0\fR" 4 .IX Item "EXPORT40" 40 bit export encryption algorithms -.Ip "\fB\s-1EXPORT56\s0\fR" 4 +.IP "\fB\s-1EXPORT56\s0\fR" 4 .IX Item "EXPORT56" 56 bit export encryption algorithms. -.Ip "\fBeNULL\fR, \fB\s-1NULL\s0\fR" 4 +.IP "\fBeNULL\fR, \fB\s-1NULL\s0\fR" 4 .IX Item "eNULL, NULL" the \*(L"\s-1NULL\s0\*(R" ciphers that is those offering no encryption. Because these offer no encryption at all and are a security risk they are disabled unless explicitly included. -.Ip "\fBaNULL\fR" 4 +.IP "\fBaNULL\fR" 4 .IX Item "aNULL" the cipher suites offering no authentication. This is currently the anonymous \&\s-1DH\s0 algorithms. These cipher suites are vulnerable to a \*(L"man in the middle\*(R" attack and so their use is normally discouraged. -.Ip "\fBkRSA\fR, \fB\s-1RSA\s0\fR" 4 +.IP "\fBkRSA\fR, \fB\s-1RSA\s0\fR" 4 .IX Item "kRSA, RSA" cipher suites using \s-1RSA\s0 key exchange. -.Ip "\fBkEDH\fR" 4 +.IP "\fBkEDH\fR" 4 .IX Item "kEDH" cipher suites using ephemeral \s-1DH\s0 key agreement. -.Ip "\fBkDHr\fR, \fBkDHd\fR" 4 +.IP "\fBkDHr\fR, \fBkDHd\fR" 4 .IX Item "kDHr, kDHd" cipher suites using \s-1DH\s0 key agreement and \s-1DH\s0 certificates signed by CAs with \s-1RSA\s0 and \s-1DSS\s0 keys respectively. Not implemented. -.Ip "\fBaRSA\fR" 4 +.IP "\fBaRSA\fR" 4 .IX Item "aRSA" cipher suites using \s-1RSA\s0 authentication, i.e. the certificates carry \s-1RSA\s0 keys. -.Ip "\fBaDSS\fR, \fB\s-1DSS\s0\fR" 4 +.IP "\fBaDSS\fR, \fB\s-1DSS\s0\fR" 4 .IX Item "aDSS, DSS" cipher suites using \s-1DSS\s0 authentication, i.e. the certificates carry \s-1DSS\s0 keys. -.Ip "\fBaDH\fR" 4 +.IP "\fBaDH\fR" 4 .IX Item "aDH" cipher suites effectively using \s-1DH\s0 authentication, i.e. the certificates carry \&\s-1DH\s0 keys. Not implemented. -.Ip "\fBkFZA\fR, \fBaFZA\fR, \fBeFZA\fR, \fB\s-1FZA\s0\fR" 4 +.IP "\fBkFZA\fR, \fBaFZA\fR, \fBeFZA\fR, \fB\s-1FZA\s0\fR" 4 .IX Item "kFZA, aFZA, eFZA, FZA" ciphers suites using \s-1FORTEZZA\s0 key exchange, authentication, encryption or all \&\s-1FORTEZZA\s0 algorithms. Not implemented. -.Ip "\fBTLSv1\fR, \fBSSLv3\fR, \fBSSLv2\fR" 4 +.IP "\fBTLSv1\fR, \fBSSLv3\fR, \fBSSLv2\fR" 4 .IX Item "TLSv1, SSLv3, SSLv2" \&\s-1TLS\s0 v1.0, \s-1SSL\s0 v3.0 or \s-1SSL\s0 v2.0 cipher suites respectively. -.Ip "\fB\s-1DH\s0\fR" 4 +.IP "\fB\s-1DH\s0\fR" 4 .IX Item "DH" cipher suites using \s-1DH\s0, including anonymous \s-1DH\s0. -.Ip "\fB\s-1ADH\s0\fR" 4 +.IP "\fB\s-1ADH\s0\fR" 4 .IX Item "ADH" anonymous \s-1DH\s0 cipher suites. -.Ip "\fB\s-1AES\s0\fR" 4 +.IP "\fB\s-1AES\s0\fR" 4 .IX Item "AES" cipher suites using \s-1AES\s0. -.Ip "\fB3DES\fR" 4 +.IP "\fB3DES\fR" 4 .IX Item "3DES" cipher suites using triple \s-1DES\s0. -.Ip "\fB\s-1DES\s0\fR" 4 +.IP "\fB\s-1DES\s0\fR" 4 .IX Item "DES" cipher suites using \s-1DES\s0 (not triple \s-1DES\s0). -.Ip "\fB\s-1RC4\s0\fR" 4 +.IP "\fB\s-1RC4\s0\fR" 4 .IX Item "RC4" cipher suites using \s-1RC4\s0. -.Ip "\fB\s-1RC2\s0\fR" 4 +.IP "\fB\s-1RC2\s0\fR" 4 .IX Item "RC2" cipher suites using \s-1RC2\s0. -.Ip "\fB\s-1IDEA\s0\fR" 4 +.IP "\fB\s-1IDEA\s0\fR" 4 .IX Item "IDEA" cipher suites using \s-1IDEA\s0. -.Ip "\fB\s-1MD5\s0\fR" 4 +.IP "\fB\s-1MD5\s0\fR" 4 .IX Item "MD5" cipher suites using \s-1MD5\s0. -.Ip "\fB\s-1SHA1\s0\fR, \fB\s-1SHA\s0\fR" 4 +.IP "\fB\s-1SHA1\s0\fR, \fB\s-1SHA\s0\fR" 4 .IX Item "SHA1, SHA" cipher suites using \s-1SHA1\s0. .SH "CIPHER SUITE NAMES" @@ -332,7 +322,7 @@ cipher suites using \s-1SHA1\s0. The following lists give the \s-1SSL\s0 or \s-1TLS\s0 cipher suites names from the relevant specification and their OpenSSL equivalents. It should be noted, that several cipher suite names do not include the authentication used, -e.g. \s-1DES-CBC3\-SHA\s0. In these cases, \s-1RSA\s0 authentication is used. +e.g. \s-1DES\-CBC3\-SHA\s0. In these cases, \s-1RSA\s0 authentication is used. .Sh "\s-1SSL\s0 v3.0 cipher suites." .IX Subsection "SSL v3.0 cipher suites." .Vb 10 @@ -347,6 +337,7 @@ e.g. \s-1DES-CBC3\-SHA\s0. In these cases, \s-1RSA\s0 authentication is used. \& SSL_RSA_WITH_DES_CBC_SHA DES-CBC-SHA \& SSL_RSA_WITH_3DES_EDE_CBC_SHA DES-CBC3-SHA .Ve +.PP .Vb 12 \& SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA Not implemented. \& SSL_DH_DSS_WITH_DES_CBC_SHA Not implemented. @@ -361,6 +352,7 @@ e.g. \s-1DES-CBC3\-SHA\s0. In these cases, \s-1RSA\s0 authentication is used. \& SSL_DHE_RSA_WITH_DES_CBC_SHA EDH-RSA-DES-CBC-SHA \& SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA EDH-RSA-DES-CBC3-SHA .Ve +.PP .Vb 5 \& SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 EXP-ADH-RC4-MD5 \& SSL_DH_anon_WITH_RC4_128_MD5 ADH-RC4-MD5 @@ -368,6 +360,7 @@ e.g. \s-1DES-CBC3\-SHA\s0. In these cases, \s-1RSA\s0 authentication is used. \& SSL_DH_anon_WITH_DES_CBC_SHA ADH-DES-CBC-SHA \& SSL_DH_anon_WITH_3DES_EDE_CBC_SHA ADH-DES-CBC3-SHA .Ve +.PP .Vb 3 \& SSL_FORTEZZA_KEA_WITH_NULL_SHA Not implemented. \& SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA Not implemented. @@ -387,6 +380,7 @@ e.g. \s-1DES-CBC3\-SHA\s0. In these cases, \s-1RSA\s0 authentication is used. \& TLS_RSA_WITH_DES_CBC_SHA DES-CBC-SHA \& TLS_RSA_WITH_3DES_EDE_CBC_SHA DES-CBC3-SHA .Ve +.PP .Vb 12 \& TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA Not implemented. \& TLS_DH_DSS_WITH_DES_CBC_SHA Not implemented. @@ -401,6 +395,7 @@ e.g. \s-1DES-CBC3\-SHA\s0. In these cases, \s-1RSA\s0 authentication is used. \& TLS_DHE_RSA_WITH_DES_CBC_SHA EDH-RSA-DES-CBC-SHA \& TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA EDH-RSA-DES-CBC3-SHA .Ve +.PP .Vb 5 \& TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 EXP-ADH-RC4-MD5 \& TLS_DH_anon_WITH_RC4_128_MD5 ADH-RC4-MD5 @@ -414,18 +409,21 @@ e.g. \s-1DES-CBC3\-SHA\s0. In these cases, \s-1RSA\s0 authentication is used. \& TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA \& TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA .Ve +.PP .Vb 4 \& TLS_DH_DSS_WITH_AES_128_CBC_SHA DH-DSS-AES128-SHA \& TLS_DH_DSS_WITH_AES_256_CBC_SHA DH-DSS-AES256-SHA \& TLS_DH_RSA_WITH_AES_128_CBC_SHA DH-RSA-AES128-SHA \& TLS_DH_RSA_WITH_AES_256_CBC_SHA DH-RSA-AES256-SHA .Ve +.PP .Vb 4 \& TLS_DHE_DSS_WITH_AES_128_CBC_SHA DHE-DSS-AES128-SHA \& TLS_DHE_DSS_WITH_AES_256_CBC_SHA DHE-DSS-AES256-SHA \& TLS_DHE_RSA_WITH_AES_128_CBC_SHA DHE-RSA-AES128-SHA \& TLS_DHE_RSA_WITH_AES_256_CBC_SHA DHE-RSA-AES256-SHA .Ve +.PP .Vb 2 \& TLS_DH_anon_WITH_AES_128_CBC_SHA ADH-AES128-SHA \& TLS_DH_anon_WITH_AES_256_CBC_SHA ADH-AES256-SHA @@ -466,22 +464,26 @@ Verbose listing of all OpenSSL ciphers including \s-1NULL\s0 ciphers: .Vb 1 \& openssl ciphers -v 'ALL:eNULL' .Ve +.PP Include all ciphers except \s-1NULL\s0 and anonymous \s-1DH\s0 then sort by strength: .PP .Vb 1 \& openssl ciphers -v 'ALL:!ADH:@STRENGTH' .Ve +.PP Include only 3DES ciphers and then place \s-1RSA\s0 ciphers last: .PP .Vb 1 \& openssl ciphers -v '3DES:+RSA' .Ve +.PP Include all \s-1RC4\s0 ciphers but leave out those without authentication: .PP .Vb 1 \& openssl ciphers -v 'RC4:!COMPLEMENTOFDEFAULT' .Ve +.PP Include all chiphers with \s-1RSA\s0 authentication but leave out ciphers without encryption. .PP @@ -490,7 +492,7 @@ encryption. .Ve .SH "SEE ALSO" .IX Header "SEE ALSO" -s_client(1), s_server(1), ssl(3) +\&\fIs_client\fR\|(1), \fIs_server\fR\|(1), \fIssl\fR\|(3) .SH "HISTORY" .IX Header "HISTORY" The \fB\s-1COMPLENTOFALL\s0\fR and \fB\s-1COMPLEMENTOFDEFAULT\s0\fR selection options were |
