]>
Commit | Line | Data |
---|---|---|
64287002 DSH |
1 | =pod |
2 | ||
3 | =head1 NAME | |
4 | ||
5 | ciphers - SSL cipher display and cipher list tool. | |
6 | ||
7 | =head1 SYNOPSIS | |
8 | ||
9 | B<openssl> B<ciphers> | |
10 | [B<-v>] | |
13e4670c | 11 | [B<-V>] |
64287002 DSH |
12 | [B<-ssl2>] |
13 | [B<-ssl3>] | |
14 | [B<-tls1>] | |
15 | [B<cipherlist>] | |
16 | ||
17 | =head1 DESCRIPTION | |
18 | ||
13e4670c | 19 | The B<ciphers> command converts textual OpenSSL cipher lists into ordered |
64287002 DSH |
20 | SSL cipher preference lists. It can be used as a test tool to determine |
21 | the appropriate cipherlist. | |
22 | ||
23 | =head1 COMMAND OPTIONS | |
24 | ||
25 | =over 4 | |
26 | ||
27 | =item B<-v> | |
28 | ||
13e4670c | 29 | Verbose option. List ciphers with a complete description of |
8acdd759 BM |
30 | protocol version (SSLv2 or SSLv3; the latter includes TLS), key exchange, |
31 | authentication, encryption and mac algorithms used along with any key size | |
64287002 | 32 | restrictions and whether the algorithm is classed as an "export" cipher. |
8acdd759 BM |
33 | Note that without the B<-v> option, ciphers may seem to appear twice |
34 | in a cipher list; this is when similar ciphers are available for | |
35 | SSL v2 and for SSL v3/TLS v1. | |
64287002 | 36 | |
13e4670c BM |
37 | =item B<-V> |
38 | ||
39 | Like B<-V>, but include cipher suite codes in output (hex format). | |
40 | ||
64287002 DSH |
41 | =item B<-ssl3> |
42 | ||
43 | only include SSL v3 ciphers. | |
44 | ||
45 | =item B<-ssl2> | |
46 | ||
47 | only include SSL v2 ciphers. | |
48 | ||
49 | =item B<-tls1> | |
50 | ||
51 | only include TLS v1 ciphers. | |
52 | ||
53 | =item B<-h>, B<-?> | |
54 | ||
55 | print a brief usage message. | |
56 | ||
57 | =item B<cipherlist> | |
58 | ||
59 | a cipher list to convert to a cipher preference list. If it is not included | |
60 | then the default cipher list will be used. The format is described below. | |
61 | ||
8548d442 RL |
62 | =back |
63 | ||
64287002 DSH |
64 | =head1 CIPHER LIST FORMAT |
65 | ||
66 | The cipher list consists of one or more I<cipher strings> separated by colons. | |
67 | Commas or spaces are also acceptable separators but colons are normally used. | |
68 | ||
69 | The actual cipher string can take several different forms. | |
70 | ||
71 | It can consist of a single cipher suite such as B<RC4-SHA>. | |
72 | ||
73 | It can represent a list of cipher suites containing a certain algorithm, or | |
74 | cipher suites of a certain type. For example B<SHA1> represents all ciphers | |
75 | suites using the digest algorithm SHA1 and B<SSLv3> represents all SSL v3 | |
76 | algorithms. | |
77 | ||
78 | Lists of cipher suites can be combined in a single cipher string using the | |
79 | B<+> character. This is used as a logical B<and> operation. For example | |
80 | B<SHA1+DES> represents all cipher suites containing the SHA1 B<and> the DES | |
81 | algorithms. | |
82 | ||
83 | Each cipher string can be optionally preceded by the characters B<!>, | |
84 | B<-> or B<+>. | |
85 | ||
86 | If B<!> is used then the ciphers are permanently deleted from the list. | |
87 | The ciphers deleted can never reappear in the list even if they are | |
88 | explicitly stated. | |
89 | ||
90 | If B<-> is used then the ciphers are deleted from the list, but some or | |
91 | all of the ciphers can be added again by later options. | |
92 | ||
93 | If B<+> is used then the ciphers are moved to the end of the list. This | |
94 | option doesn't add any new ciphers it just moves matching existing ones. | |
95 | ||
96 | If none of these characters is present then the string is just interpreted | |
97 | as a list of ciphers to be appended to the current preference list. If the | |
98 | list includes any ciphers already present they will be ignored: that is they | |
99 | will not moved to the end of the list. | |
100 | ||
101 | Additionally the cipher string B<@STRENGTH> can be used at any point to sort | |
102 | the current cipher list in order of encryption algorithm key length. | |
103 | ||
104 | =head1 CIPHER STRINGS | |
105 | ||
106 | The following is a list of all permitted cipher strings and their meanings. | |
107 | ||
108 | =over 4 | |
109 | ||
110 | =item B<DEFAULT> | |
111 | ||
112 | the default cipher list. This is determined at compile time and is normally | |
3142c86d DSH |
113 | B<ALL:!ADH:RC4+RSA:+SSLv2:@STRENGTH>. This must be the first cipher string |
114 | specified. | |
64287002 | 115 | |
c6ccf055 LJ |
116 | =item B<COMPLEMENTOFDEFAULT> |
117 | ||
8be4e173 BM |
118 | the ciphers included in B<ALL>, but not enabled by default. Currently |
119 | this is B<ADH>. Note that this rule does not cover B<eNULL>, which is | |
120 | not included by B<ALL> (use B<COMPLEMENTOFALL> if necessary). | |
c6ccf055 | 121 | |
64287002 DSH |
122 | =item B<ALL> |
123 | ||
124 | all ciphers suites except the B<eNULL> ciphers which must be explicitly enabled. | |
125 | ||
c6ccf055 LJ |
126 | =item B<COMPLEMENTOFALL> |
127 | ||
128 | the cipher suites not enabled by B<ALL>, currently being B<eNULL>. | |
129 | ||
64287002 DSH |
130 | =item B<HIGH> |
131 | ||
132 | "high" encryption cipher suites. This currently means those with key lengths larger | |
75d61b33 | 133 | than 128 bits, and some cipher suites with 128-bit keys. |
64287002 DSH |
134 | |
135 | =item B<MEDIUM> | |
136 | ||
75d61b33 | 137 | "medium" encryption cipher suites, currently some of those using 128 bit encryption. |
64287002 DSH |
138 | |
139 | =item B<LOW> | |
140 | ||
141 | "low" encryption cipher suites, currently those using 64 or 56 bit encryption algorithms | |
142 | but excluding export cipher suites. | |
143 | ||
144 | =item B<EXP>, B<EXPORT> | |
145 | ||
146 | export encryption algorithms. Including 40 and 56 bits algorithms. | |
147 | ||
148 | =item B<EXPORT40> | |
149 | ||
150 | 40 bit export encryption algorithms | |
151 | ||
152 | =item B<EXPORT56> | |
153 | ||
bcb38217 NL |
154 | 56 bit export encryption algorithms. In OpenSSL 0.9.8c and later the set of |
155 | 56 bit export ciphers is empty unless OpenSSL has been explicitly configured | |
156 | with support for experimental ciphers. | |
64287002 DSH |
157 | |
158 | =item B<eNULL>, B<NULL> | |
159 | ||
160 | the "NULL" ciphers that is those offering no encryption. Because these offer no | |
161 | encryption at all and are a security risk they are disabled unless explicitly | |
162 | included. | |
163 | ||
164 | =item B<aNULL> | |
165 | ||
166 | the cipher suites offering no authentication. This is currently the anonymous | |
167 | DH algorithms. These cipher suites are vulnerable to a "man in the middle" | |
3142c86d | 168 | attack and so their use is normally discouraged. |
64287002 DSH |
169 | |
170 | =item B<kRSA>, B<RSA> | |
171 | ||
172 | cipher suites using RSA key exchange. | |
173 | ||
174 | =item B<kEDH> | |
175 | ||
176 | cipher suites using ephemeral DH key agreement. | |
177 | ||
178 | =item B<kDHr>, B<kDHd> | |
179 | ||
180 | cipher suites using DH key agreement and DH certificates signed by CAs with RSA | |
181 | and DSS keys respectively. Not implemented. | |
182 | ||
183 | =item B<aRSA> | |
184 | ||
185 | cipher suites using RSA authentication, i.e. the certificates carry RSA keys. | |
186 | ||
187 | =item B<aDSS>, B<DSS> | |
188 | ||
189 | cipher suites using DSS authentication, i.e. the certificates carry DSS keys. | |
190 | ||
191 | =item B<aDH> | |
192 | ||
193 | cipher suites effectively using DH authentication, i.e. the certificates carry | |
194 | DH keys. Not implemented. | |
195 | ||
196 | =item B<kFZA>, B<aFZA>, B<eFZA>, B<FZA> | |
197 | ||
198 | ciphers suites using FORTEZZA key exchange, authentication, encryption or all | |
199 | FORTEZZA algorithms. Not implemented. | |
200 | ||
201 | =item B<TLSv1>, B<SSLv3>, B<SSLv2> | |
202 | ||
203 | TLS v1.0, SSL v3.0 or SSL v2.0 cipher suites respectively. | |
204 | ||
205 | =item B<DH> | |
206 | ||
207 | cipher suites using DH, including anonymous DH. | |
208 | ||
209 | =item B<ADH> | |
210 | ||
657e60fa | 211 | anonymous DH cipher suites. |
64287002 | 212 | |
44fcd3ef LJ |
213 | =item B<AES> |
214 | ||
215 | cipher suites using AES. | |
216 | ||
64287002 DSH |
217 | =item B<3DES> |
218 | ||
219 | cipher suites using triple DES. | |
220 | ||
221 | =item B<DES> | |
222 | ||
223 | cipher suites using DES (not triple DES). | |
224 | ||
225 | =item B<RC4> | |
226 | ||
227 | cipher suites using RC4. | |
228 | ||
229 | =item B<RC2> | |
230 | ||
231 | cipher suites using RC2. | |
232 | ||
233 | =item B<IDEA> | |
234 | ||
235 | cipher suites using IDEA. | |
236 | ||
237 | =item B<MD5> | |
238 | ||
239 | cipher suites using MD5. | |
240 | ||
241 | =item B<SHA1>, B<SHA> | |
242 | ||
243 | cipher suites using SHA1. | |
244 | ||
f3dea9a5 BM |
245 | =item B<Camellia> |
246 | ||
247 | cipher suites using Camellia. | |
248 | ||
64287002 DSH |
249 | =back |
250 | ||
251 | =head1 CIPHER SUITE NAMES | |
252 | ||
253 | The following lists give the SSL or TLS cipher suites names from the | |
44fcd3ef LJ |
254 | relevant specification and their OpenSSL equivalents. It should be noted, |
255 | that several cipher suite names do not include the authentication used, | |
256 | e.g. DES-CBC3-SHA. In these cases, RSA authentication is used. | |
64287002 DSH |
257 | |
258 | =head2 SSL v3.0 cipher suites. | |
259 | ||
260 | SSL_RSA_WITH_NULL_MD5 NULL-MD5 | |
261 | SSL_RSA_WITH_NULL_SHA NULL-SHA | |
262 | SSL_RSA_EXPORT_WITH_RC4_40_MD5 EXP-RC4-MD5 | |
263 | SSL_RSA_WITH_RC4_128_MD5 RC4-MD5 | |
264 | SSL_RSA_WITH_RC4_128_SHA RC4-SHA | |
265 | SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 EXP-RC2-CBC-MD5 | |
266 | SSL_RSA_WITH_IDEA_CBC_SHA IDEA-CBC-SHA | |
267 | SSL_RSA_EXPORT_WITH_DES40_CBC_SHA EXP-DES-CBC-SHA | |
268 | SSL_RSA_WITH_DES_CBC_SHA DES-CBC-SHA | |
269 | SSL_RSA_WITH_3DES_EDE_CBC_SHA DES-CBC3-SHA | |
270 | ||
271 | SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA Not implemented. | |
272 | SSL_DH_DSS_WITH_DES_CBC_SHA Not implemented. | |
273 | SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA Not implemented. | |
274 | SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA Not implemented. | |
275 | SSL_DH_RSA_WITH_DES_CBC_SHA Not implemented. | |
276 | SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA Not implemented. | |
277 | SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA EXP-EDH-DSS-DES-CBC-SHA | |
278 | SSL_DHE_DSS_WITH_DES_CBC_SHA EDH-DSS-CBC-SHA | |
279 | SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA EDH-DSS-DES-CBC3-SHA | |
280 | SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA EXP-EDH-RSA-DES-CBC-SHA | |
281 | SSL_DHE_RSA_WITH_DES_CBC_SHA EDH-RSA-DES-CBC-SHA | |
282 | SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA EDH-RSA-DES-CBC3-SHA | |
283 | ||
284 | SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 EXP-ADH-RC4-MD5 | |
285 | SSL_DH_anon_WITH_RC4_128_MD5 ADH-RC4-MD5 | |
286 | SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA EXP-ADH-DES-CBC-SHA | |
287 | SSL_DH_anon_WITH_DES_CBC_SHA ADH-DES-CBC-SHA | |
288 | SSL_DH_anon_WITH_3DES_EDE_CBC_SHA ADH-DES-CBC3-SHA | |
289 | ||
290 | SSL_FORTEZZA_KEA_WITH_NULL_SHA Not implemented. | |
291 | SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA Not implemented. | |
292 | SSL_FORTEZZA_KEA_WITH_RC4_128_SHA Not implemented. | |
293 | ||
294 | =head2 TLS v1.0 cipher suites. | |
295 | ||
296 | TLS_RSA_WITH_NULL_MD5 NULL-MD5 | |
297 | TLS_RSA_WITH_NULL_SHA NULL-SHA | |
298 | TLS_RSA_EXPORT_WITH_RC4_40_MD5 EXP-RC4-MD5 | |
299 | TLS_RSA_WITH_RC4_128_MD5 RC4-MD5 | |
300 | TLS_RSA_WITH_RC4_128_SHA RC4-SHA | |
301 | TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 EXP-RC2-CBC-MD5 | |
302 | TLS_RSA_WITH_IDEA_CBC_SHA IDEA-CBC-SHA | |
303 | TLS_RSA_EXPORT_WITH_DES40_CBC_SHA EXP-DES-CBC-SHA | |
304 | TLS_RSA_WITH_DES_CBC_SHA DES-CBC-SHA | |
305 | TLS_RSA_WITH_3DES_EDE_CBC_SHA DES-CBC3-SHA | |
306 | ||
307 | TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA Not implemented. | |
308 | TLS_DH_DSS_WITH_DES_CBC_SHA Not implemented. | |
309 | TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA Not implemented. | |
310 | TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA Not implemented. | |
311 | TLS_DH_RSA_WITH_DES_CBC_SHA Not implemented. | |
312 | TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA Not implemented. | |
313 | TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA EXP-EDH-DSS-DES-CBC-SHA | |
314 | TLS_DHE_DSS_WITH_DES_CBC_SHA EDH-DSS-CBC-SHA | |
315 | TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA EDH-DSS-DES-CBC3-SHA | |
316 | TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA EXP-EDH-RSA-DES-CBC-SHA | |
317 | TLS_DHE_RSA_WITH_DES_CBC_SHA EDH-RSA-DES-CBC-SHA | |
318 | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA EDH-RSA-DES-CBC3-SHA | |
319 | ||
320 | TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 EXP-ADH-RC4-MD5 | |
321 | TLS_DH_anon_WITH_RC4_128_MD5 ADH-RC4-MD5 | |
322 | TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA EXP-ADH-DES-CBC-SHA | |
323 | TLS_DH_anon_WITH_DES_CBC_SHA ADH-DES-CBC-SHA | |
324 | TLS_DH_anon_WITH_3DES_EDE_CBC_SHA ADH-DES-CBC3-SHA | |
325 | ||
44fcd3ef LJ |
326 | =head2 AES ciphersuites from RFC3268, extending TLS v1.0 |
327 | ||
328 | TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA | |
329 | TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA | |
330 | ||
331 | TLS_DH_DSS_WITH_AES_128_CBC_SHA DH-DSS-AES128-SHA | |
332 | TLS_DH_DSS_WITH_AES_256_CBC_SHA DH-DSS-AES256-SHA | |
333 | TLS_DH_RSA_WITH_AES_128_CBC_SHA DH-RSA-AES128-SHA | |
334 | TLS_DH_RSA_WITH_AES_256_CBC_SHA DH-RSA-AES256-SHA | |
335 | ||
336 | TLS_DHE_DSS_WITH_AES_128_CBC_SHA DHE-DSS-AES128-SHA | |
337 | TLS_DHE_DSS_WITH_AES_256_CBC_SHA DHE-DSS-AES256-SHA | |
338 | TLS_DHE_RSA_WITH_AES_128_CBC_SHA DHE-RSA-AES128-SHA | |
339 | TLS_DHE_RSA_WITH_AES_256_CBC_SHA DHE-RSA-AES256-SHA | |
340 | ||
341 | TLS_DH_anon_WITH_AES_128_CBC_SHA ADH-AES128-SHA | |
342 | TLS_DH_anon_WITH_AES_256_CBC_SHA ADH-AES256-SHA | |
343 | ||
f3dea9a5 BM |
344 | =head2 Camellia ciphersuites from RFC4132, extending TLS v1.0 |
345 | ||
346 | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA CAMELLIA128-SHA | |
347 | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA CAMELLIA256-SHA | |
348 | ||
349 | TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA Not implemented. | |
350 | TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA Not implemented. | |
351 | TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA Not implemented. | |
352 | TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA Not implemented. | |
353 | ||
354 | TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA DHE-DSS-CAMELLIA128-SHA | |
355 | TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA DHE-DSS-CAMELLIA256-SHA | |
356 | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA DHE-RSA-CAMELLIA128-SHA | |
357 | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA DHE-RSA-CAMELLIA256-SHA | |
358 | ||
359 | TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA ADH-CAMELLIA128-SHA | |
360 | TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA ADH-CAMELLIA256-SHA | |
361 | ||
64287002 DSH |
362 | =head2 Additional Export 1024 and other cipher suites |
363 | ||
364 | Note: these ciphers can also be used in SSL v3. | |
365 | ||
366 | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA EXP1024-DES-CBC-SHA | |
367 | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA EXP1024-RC4-SHA | |
368 | TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA EXP1024-DHE-DSS-DES-CBC-SHA | |
369 | TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA EXP1024-DHE-DSS-RC4-SHA | |
370 | TLS_DHE_DSS_WITH_RC4_128_SHA DHE-DSS-RC4-SHA | |
371 | ||
372 | =head2 SSL v2.0 cipher suites. | |
373 | ||
374 | SSL_CK_RC4_128_WITH_MD5 RC4-MD5 | |
375 | SSL_CK_RC4_128_EXPORT40_WITH_MD5 EXP-RC4-MD5 | |
376 | SSL_CK_RC2_128_CBC_WITH_MD5 RC2-MD5 | |
377 | SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 EXP-RC2-MD5 | |
378 | SSL_CK_IDEA_128_CBC_WITH_MD5 IDEA-CBC-MD5 | |
379 | SSL_CK_DES_64_CBC_WITH_MD5 DES-CBC-MD5 | |
380 | SSL_CK_DES_192_EDE3_CBC_WITH_MD5 DES-CBC3-MD5 | |
381 | ||
382 | =head1 NOTES | |
383 | ||
657e60fa | 384 | The non-ephemeral DH modes are currently unimplemented in OpenSSL |
64287002 DSH |
385 | because there is no support for DH certificates. |
386 | ||
387 | Some compiled versions of OpenSSL may not include all the ciphers | |
388 | listed here because some ciphers were excluded at compile time. | |
389 | ||
390 | =head1 EXAMPLES | |
391 | ||
392 | Verbose listing of all OpenSSL ciphers including NULL ciphers: | |
393 | ||
394 | openssl ciphers -v 'ALL:eNULL' | |
395 | ||
396 | Include all ciphers except NULL and anonymous DH then sort by | |
397 | strength: | |
398 | ||
399 | openssl ciphers -v 'ALL:!ADH:@STRENGTH' | |
400 | ||
401 | Include only 3DES ciphers and then place RSA ciphers last: | |
402 | ||
403 | openssl ciphers -v '3DES:+RSA' | |
404 | ||
c6ccf055 LJ |
405 | Include all RC4 ciphers but leave out those without authentication: |
406 | ||
407 | openssl ciphers -v 'RC4:!COMPLEMENTOFDEFAULT' | |
408 | ||
409 | Include all chiphers with RSA authentication but leave out ciphers without | |
410 | encryption. | |
411 | ||
412 | openssl ciphers -v 'RSA:!COMPLEMENTOFALL' | |
413 | ||
64287002 DSH |
414 | =head1 SEE ALSO |
415 | ||
bb075f88 | 416 | L<s_client(1)|s_client(1)>, L<s_server(1)|s_server(1)>, L<ssl(3)|ssl(3)> |
64287002 | 417 | |
c6ccf055 LJ |
418 | =head1 HISTORY |
419 | ||
13e4670c BM |
420 | The B<COMPLENTOFALL> and B<COMPLEMENTOFDEFAULT> selection options |
421 | for cipherlist strings were added in OpenSSL 0.9.7. | |
422 | The B<-V> option for the B<ciphers> command was added in OpenSSL 0.9.9. | |
c6ccf055 | 423 | |
64287002 | 424 | =cut |