| version 1.35, 2016/07/19 20:02:47 |
version 1.36, 2016/07/20 14:42:03 |
|
|
| The same as |
The same as |
| .Fl extensions . |
.Fl extensions . |
| .El |
.El |
| .\" |
|
| .\" CIPHERS |
|
| .\" |
|
| .Sh CIPHERS |
.Sh CIPHERS |
| .Nm openssl ciphers |
.Nm openssl ciphers |
| .Op Fl hVv |
.Op Fl hVv |
|
|
| The |
The |
| .Nm ciphers |
.Nm ciphers |
| command converts |
command converts |
| .Nm OpenSSL |
.Nm openssl |
| cipher lists into ordered SSL cipher preference lists. |
cipher lists into ordered SSL cipher preference lists. |
| It can be used as a test tool to determine the appropriate cipherlist. |
It can be used as a test tool to determine the appropriate cipherlist. |
| .Pp |
.Pp |
|
|
| .It Fl tls1 |
.It Fl tls1 |
| Only include TLS v1 ciphers. |
Only include TLS v1 ciphers. |
| .It Fl V |
.It Fl V |
| Like |
Verbose. |
| .Fl v , |
|
| but include cipher suite codes in output (hex format). |
|
| .It Fl v |
|
| Verbose option. |
|
| List ciphers with a complete description of protocol version, |
List ciphers with a complete description of protocol version, |
| key exchange, authentication, encryption and mac algorithms used along with |
key exchange, authentication, encryption and mac algorithms, |
| any key size restrictions. |
any key size restrictions, |
| Note that without the |
and cipher suite codes (hex format). |
| .Fl v |
.It Fl v |
| option, ciphers may seem to appear twice in a cipher list. |
Like |
| |
.Fl V , |
| |
but without cipher suite codes. |
| .It Ar cipherlist |
.It Ar cipherlist |
| A cipher list to convert to a cipher preference list. |
A cipher list to convert to a cipher preference list. |
| If it is not included, the default cipher list will be used. |
If it is not included, the default cipher list will be used. |
| The format is described below. |
.Pp |
| .El |
The cipher list consists of one or more cipher strings |
| .Sh CIPHERS LIST FORMAT |
|
| The cipher list consists of one or more |
|
| .Em cipher strings |
|
| separated by colons. |
separated by colons. |
| Commas or spaces are also acceptable separators, but colons are normally used. |
Commas or spaces are also acceptable separators, but colons are normally used. |
| .Pp |
.Pp |
| The actual |
The actual cipher string can take several different forms: |
| .Em cipher string |
|
| can take several different forms: |
|
| .Pp |
.Pp |
| It can consist of a single cipher suite such as |
It can consist of a single cipher suite, such as RC4-SHA. |
| .Em RC4-SHA . |
|
| .Pp |
.Pp |
| It can represent a list of cipher suites containing a certain algorithm, |
It can represent a list of cipher suites containing a certain algorithm, |
| or cipher suites of a certain type. |
or cipher suites of a certain type. |
| For example |
For example SHA1 represents all cipher suites using the digest algorithm SHA1. |
| .Em SHA1 |
|
| represents all cipher suites using the digest algorithm SHA1. |
|
| .Pp |
.Pp |
| Lists of cipher suites can be combined in a single |
Lists of cipher suites can be combined in a single cipher string using the |
| .Em cipher string |
|
| using the |
|
| .Sq + |
.Sq + |
| character. |
character |
| This is used as a logical |
(logical AND operation). |
| .Em and |
For example, SHA1+DES represents all cipher suites |
| operation. |
containing the SHA1 and DES algorithms. |
| For example, |
|
| .Em SHA1+DES |
|
| represents all cipher suites containing the SHA1 and the DES algorithms. |
|
| .Pp |
.Pp |
| Each cipher string can be optionally preceded by the characters |
Each cipher string can be optionally preceded by the characters |
| .Sq \&! , |
.Sq \&! , |
| .Sq - , |
.Sq - , |
| or |
or |
| .Sq + . |
.Sq + . |
| .Pp |
|
| If |
If |
| .Sq !\& |
.Sq !\& |
| is used, then the ciphers are permanently deleted from the list. |
is used, then the ciphers are permanently deleted from the list. |
| The ciphers deleted can never reappear in the list even if they are |
The ciphers deleted can never reappear in the list even if they are |
| explicitly stated. |
explicitly stated. |
| .Pp |
|
| If |
If |
| .Sq - |
.Sq - |
| is used, then the ciphers are deleted from the list, but some or |
is used, then the ciphers are deleted from the list, but some or |
| all of the ciphers can be added again by later options. |
all of the ciphers can be added again by later options. |
| .Pp |
|
| If |
If |
| .Sq + |
.Sq + |
| is used, then the ciphers are moved to the end of the list. |
is used, then the ciphers are moved to the end of the list. |
|
|
| that is, they will not be moved to the end of the list. |
that is, they will not be moved to the end of the list. |
| .Pp |
.Pp |
| Additionally, the cipher string |
Additionally, the cipher string |
| .Em @STRENGTH |
.Cm @STRENGTH |
| can be used at any point to sort the current cipher list in order of |
can be used at any point to sort the current cipher list in order of |
| encryption algorithm key length. |
encryption algorithm key length. |
| .Sh CIPHERS STRINGS |
.El |
| |
.Pp |
| The following is a list of all permitted cipher strings and their meanings. |
The following is a list of all permitted cipher strings and their meanings. |
| .Bl -tag -width "XXXX" |
.Bl -tag -width "XXXX" |
| .It Ar DEFAULT |
.It Cm DEFAULT |
| The default cipher list. |
The default cipher list. |
| This is determined at compile time and is currently |
This is determined at compile time and is currently |
| .Ar ALL:!aNULL:!eNULL:!SSLv2 . |
.Cm ALL:!aNULL:!eNULL:!SSLv2 . |
| This must be the first |
This must be the first cipher string specified. |
| .Ar cipher string |
.It Cm COMPLEMENTOFDEFAULT |
| specified. |
|
| .It Ar COMPLEMENTOFDEFAULT |
|
| The ciphers included in |
The ciphers included in |
| .Ar ALL , |
.Cm ALL , |
| but not enabled by default. |
but not enabled by default. |
| Currently this is |
Currently this is |
| .Ar ADH . |
.Cm ADH . |
| Note that this rule does not cover |
Note that this rule does not cover |
| .Ar eNULL , |
.Cm eNULL , |
| which is not included by |
which is not included by |
| .Ar ALL |
.Cm ALL |
| (use |
(use |
| .Ar COMPLEMENTOFALL |
.Cm COMPLEMENTOFALL |
| if necessary). |
if necessary). |
| .It Ar ALL |
.It Cm ALL |
| All cipher suites except the |
All cipher suites except the |
| .Ar eNULL |
.Cm eNULL |
| ciphers which must be explicitly enabled. |
ciphers, which must be explicitly enabled. |
| .It Ar COMPLEMENTOFALL |
.It Cm COMPLEMENTOFALL |
| The cipher suites not enabled by |
The cipher suites not enabled by |
| .Ar ALL , |
.Cm ALL , |
| currently being |
currently being |
| .Ar eNULL . |
.Cm eNULL . |
| .It Ar HIGH |
.It Cm HIGH |
| .Qq High |
.Qq High |
| encryption cipher suites. |
encryption cipher suites. |
| This currently means those with key lengths larger than 128 bits. |
This currently means those with key lengths larger than 128 bits. |
| .It Ar MEDIUM |
.It Cm MEDIUM |
| .Qq Medium |
.Qq Medium |
| encryption cipher suites, currently those using 128-bit encryption. |
encryption cipher suites, currently those using 128-bit encryption. |
| .It Ar LOW |
.It Cm LOW |
| .Qq Low |
.Qq Low |
| encryption cipher suites, currently those using 64- or 56-bit encryption |
encryption cipher suites, currently those using 64- or 56-bit encryption |
| algorithms. |
algorithms. |
| .It Ar eNULL , NULL |
.It Cm eNULL , NULL |
| The |
The |
| .Qq NULL |
.Qq NULL |
| ciphers; that is, those offering no encryption. |
ciphers; that is, those offering no encryption. |
| Because these offer no encryption at all and are a security risk, |
Because these offer no encryption at all and are a security risk, |
| they are disabled unless explicitly included. |
they are disabled unless explicitly included. |
| .It Ar aNULL |
.It Cm aNULL |
| The cipher suites offering no authentication. |
The cipher suites offering no authentication. |
| This is currently the anonymous DH algorithms. |
This is currently the anonymous DH algorithms. |
| These cipher suites are vulnerable to a |
These cipher suites are vulnerable to a |
| .Qq man in the middle |
.Qq man in the middle |
| attack, so their use is normally discouraged. |
attack, so their use is normally discouraged. |
| .It Ar kRSA , RSA |
.It Cm kRSA , RSA |
| Cipher suites using RSA key exchange. |
Cipher suites using RSA key exchange. |
| .It Ar kEDH |
.It Cm kEDH |
| Cipher suites using ephemeral DH key agreement. |
Cipher suites using ephemeral DH key agreement. |
| .It Ar aRSA |
.It Cm aRSA |
| Cipher suites using RSA authentication, i.e. the certificates carry RSA keys. |
Cipher suites using RSA authentication, i.e. the certificates carry RSA keys. |
| .It Ar aDSS , DSS |
.It Cm aDSS , DSS |
| Cipher suites using DSS authentication, i.e. the certificates carry DSS keys. |
Cipher suites using DSS authentication, i.e. the certificates carry DSS keys. |
| .It Ar TLSv1 |
.It Cm TLSv1 |
| TLS v1.0 cipher suites. |
TLS v1.0 cipher suites. |
| .It Ar DH |
.It Cm DH |
| Cipher suites using DH, including anonymous DH. |
Cipher suites using DH, including anonymous DH. |
| .It Ar ADH |
.It Cm ADH |
| Anonymous DH cipher suites. |
Anonymous DH cipher suites. |
| .It Ar AES |
.It Cm AES |
| Cipher suites using AES. |
Cipher suites using AES. |
| .It Ar 3DES |
.It Cm 3DES |
| Cipher suites using triple DES. |
Cipher suites using triple DES. |
| .It Ar DES |
.It Cm DES |
| Cipher suites using DES |
Cipher suites using DES |
| .Pq not triple DES . |
.Pq not triple DES . |
| .It Ar RC4 |
.It Cm RC4 |
| Cipher suites using RC4. |
Cipher suites using RC4. |
| .It Ar CAMELLIA |
.It Cm CAMELLIA |
| Cipher suites using Camellia. |
Cipher suites using Camellia. |
| .It Ar CHACHA20 |
.It Cm CHACHA20 |
| Cipher suites using ChaCha20. |
Cipher suites using ChaCha20. |
| .It Ar IDEA |
.It Cm IDEA |
| Cipher suites using IDEA. |
Cipher suites using IDEA. |
| .It Ar MD5 |
.It Cm MD5 |
| Cipher suites using MD5. |
Cipher suites using MD5. |
| .It Ar SHA1 , SHA |
.It Cm SHA1 , SHA |
| Cipher suites using SHA1. |
Cipher suites using SHA1. |
| .El |
.El |
| .Sh CIPHERS EXAMPLES |
|
| Verbose listing of all |
|
| .Nm OpenSSL |
|
| ciphers including NULL ciphers: |
|
| .Pp |
|
| .Dl $ openssl ciphers -v 'ALL:eNULL' |
|
| .Pp |
|
| Include all ciphers except NULL and anonymous DH then sort by |
|
| strength: |
|
| .Pp |
|
| .Dl $ openssl ciphers -v 'ALL:!ADH:@STRENGTH' |
|
| .Pp |
|
| Include only 3DES ciphers and then place RSA ciphers last: |
|
| .Pp |
|
| .Dl $ openssl ciphers -v '3DES:+RSA' |
|
| .Pp |
|
| Include all RC4 ciphers but leave out those without authentication: |
|
| .Pp |
|
| .Dl $ openssl ciphers -v 'RC4:!COMPLEMENTOFDEFAULT' |
|
| .Pp |
|
| Include all ciphers with RSA authentication but leave out ciphers without |
|
| encryption: |
|
| .Pp |
|
| .Dl $ openssl ciphers -v 'RSA:!COMPLEMENTOFALL' |
|
| .\" |
.\" |
| .\" CRL |
.\" CRL |
| .\" |
.\" |
![[BACK]](/icons/back.gif){kind=icon}
Return to openssl.1 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / openssl