=head1 NAME
-ciphers - SSL cipher display and cipher list tool.
+ciphers - SSL cipher display and cipher list tool
=head1 SYNOPSIS
[B<-tls1_2>]
[B<-s>]
[B<-psk>]
+[B<-srp>]
[B<-stdname>]
[B<cipherlist>]
=item B<-s>
-Only list supported ciphers: those consistent with the security level. This
-is the actual cipher list an application will support. If this option is
-not used then ciphers excluded by the security level will still be listed.
+Only list supported ciphers: those consistent with the security level, and
+minimum and maximum protocol version. This is closer to the actual cipher list
+an application will support.
+
+PSK and SRP ciphers are not enabled by default: they require B<-psk> or B<-srp>
+to enable them.
+
+It also does not change the default list of supported signature algorithms.
+
+On a server the list of supported ciphers might also exclude other ciphers
+depending on the configured certificates and presence of DH parameters.
+
+If this option is not used then all ciphers that match the cipherlist will be
+listed.
=item B<-psk>
When combined with B<-s> includes cipher suites which require PSK.
+=item B<-srp>
+
+When combined with B<-s> includes cipher suites which require SRP.
+
=item B<-v>
Verbose output: For each ciphersuite, list details as provided by
=item B<COMPLEMENTOFDEFAULT>
The ciphers included in B<ALL>, but not enabled by default. Currently
-this includes all RC4, DES, RC2 and anonymous ciphers. Note that this rule does
+this includes all RC4 and anonymous ciphers. Note that this rule does
not cover B<eNULL>, which is not included by B<ALL> (use B<COMPLEMENTOFALL> if
-necessary).
+necessary). Note that RC4 based ciphersuites are not built into OpenSSL by
+default (see the enable-weak-ssl-ciphers option to Configure).
=item B<ALL>
=item B<AECDH>
-Anonymous Elliptic Curve Diffie Hellman cipher suites.
+Anonymous Elliptic Curve Diffie-Hellman cipher suites.
=item B<aDSS>, B<DSS>
that several cipher suite names do not include the authentication used,
e.g. DES-CBC3-SHA. In these cases, RSA authentication is used.
-=head2 SSL v3.0 cipher suites.
+=head2 SSL v3.0 cipher suites
SSL_RSA_WITH_NULL_MD5 NULL-MD5
SSL_RSA_WITH_NULL_SHA NULL-SHA
SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA Not implemented.
SSL_FORTEZZA_KEA_WITH_RC4_128_SHA Not implemented.
-=head2 TLS v1.0 cipher suites.
+=head2 TLS v1.0 cipher suites
TLS_RSA_WITH_NULL_MD5 NULL-MD5
TLS_RSA_WITH_NULL_SHA NULL-SHA
TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 ECDHE-RSA-CAMELLIA128-SHA256
TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 ECDHE-RSA-CAMELLIA256-SHA384
-=head2 Pre shared keying (PSK) ciphersuites
+=head2 Pre-shared keying (PSK) ciphersuites
PSK_WITH_NULL_SHA PSK-NULL-SHA
DHE_PSK_WITH_NULL_SHA DHE-PSK-NULL-SHA
DHE_PSK_WITH_AES_128_CCM_8 DHE-PSK-AES128-CCM8
DHE_PSK_WITH_AES_256_CCM_8 DHE-PSK-AES256-CCM8
-=head2 ChaCha20-Poly1305 cipher suites from draft-ietf-tls-chacha20-poly1305-04, extending TLS v1.2
+=head2 ChaCha20-Poly1305 cipher suites, extending TLS v1.2
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 ECDHE-RSA-CHACHA20-POLY1305
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 ECDHE-ECDSA-CHACHA20-POLY1305
TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 DHE-PSK-CHACHA20-POLY1305
TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 RSA-PSK-CHACHA20-POLY1305
+=head2 Older names used by OpenSSL
+
+The following names are accepted by older releases:
+
+ SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA EDH-RSA-DES-CBC3-SHA (DHE-RSA-DES-CBC3-SHA)
+ SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA EDH-DSS-DES-CBC3-SHA (DHE-DSS-DES-CBC3-SHA)
+
=head1 NOTES
Some compiled versions of OpenSSL may not include all the ciphers
The B<-V> option for the B<ciphers> command was added in OpenSSL 1.0.0.
+=head1 COPYRIGHT
+
+Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the OpenSSL license (the "License"). You may not use
+this file except in compliance with the License. You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
=cut