From 343e5cf194b7baf244ed24efa4b8e6d9fc5d4921 Mon Sep 17 00:00:00 2001 From: Hubert Kario Date: Fri, 6 Jun 2014 15:23:19 +0200 Subject: [PATCH] add ECC strings to ciphers(1), point out difference between DH and ECDH * Make a clear distinction between DH and ECDH key exchange. * Group all key exchange cipher suite identifiers, first DH then ECDH * add descriptions for all supported *DH* identifiers * add ECDSA authentication descriptions * add example showing how to disable all suites that offer no authentication or encryption --- doc/apps/ciphers.pod | 76 ++++++++++++++++++++++++++++++++++---------- 1 file changed, 60 insertions(+), 16 deletions(-) diff --git a/doc/apps/ciphers.pod b/doc/apps/ciphers.pod index ca839af56a..153e891015 100644 --- a/doc/apps/ciphers.pod +++ b/doc/apps/ciphers.pod @@ -132,8 +132,8 @@ specified. =item B the ciphers included in B, but not enabled by default. Currently -this is B. Note that this rule does not cover B, which is -not included by B (use B if necessary). +this is B and B. Note that this rule does not cover B, +which is not included by B (use B if necessary). =item B @@ -182,22 +182,59 @@ included. =item B the cipher suites offering no authentication. This is currently the anonymous -DH algorithms. These cipher suites are vulnerable to a "man in the middle" -attack and so their use is normally discouraged. +DH algorithms and anonymous ECDH algorithms. These cipher suites are vulnerable +to a "man in the middle" attack and so their use is normally discouraged. =item B, B, B cipher suites using RSA key exchange, authentication or either respectively. -=item B - -cipher suites using ephemeral DH key agreement. - =item B, B, B cipher suites using DH key agreement and DH certificates signed by CAs with RSA and DSS keys or either respectively. +=item B, B + +cipher suites using ephemeral DH key agreement, including anonymous cipher +suites. + +=item B, B + +cipher suites using authenticated ephemeral DH key agreement. + +=item B + +anonymous DH cipher suites, note that this does not include anonymous Elliptic +Curve DH (ECDH) cipher suites. + +=item B + +cipher suites using DH, including anonymous DH, ephemeral DH and fixed DH. + +=item B, B, B + +cipher suites using fixed ECDH key agreement signed by CAs with RSA and ECDSA +keys or either respectively. + +=item B, B + +cipher suites using ephemeral ECDH key agreement, including anonymous +cipher suites. + +=item B, B + +cipher suites using authenticated ephemeral ECDH key agreement. + +=item B + +anonymous Elliptic Curve Diffie Hellman cipher suites. + +=item B + +cipher suites using ECDH key exchange, including anonymous, ephemeral and +fixed ECDH. + =item B, B cipher suites using DSS authentication, i.e. the certificates carry DSS keys. @@ -207,6 +244,16 @@ cipher suites using DSS authentication, i.e. the certificates carry DSS keys. cipher suites effectively using DH authentication, i.e. the certificates carry DH keys. +=item B + +cipher suites effectively using ECDH authentication, i.e. the certificates +carry ECDH keys. + +=item B, B + +cipher suites using ECDSA authentication, i.e. the certificates carry ECDSA +keys. + =item B, B, B, B ciphers suites using FORTEZZA key exchange, authentication, encryption or all @@ -217,14 +264,6 @@ FORTEZZA algorithms. Not implemented. TLS v1.2, TLS v1.0, SSL v3.0 or SSL v2.0 cipher suites respectively. Note: there are no ciphersuites specific to TLS v1.1. -=item B - -cipher suites using DH, including anonymous DH, ephemeral DH and fixed DH. - -=item B - -anonymous DH cipher suites. - =item B, B, B cipher suites using 128 bit AES, 256 bit AES or either 128 or 256 bit AES. @@ -582,6 +621,11 @@ strength: openssl ciphers -v 'ALL:!ADH:@STRENGTH' +Include all ciphers except ones with no encryption (eNULL) or no +authentication (aNULL): + + openssl ciphers -v 'ALL:!aNULL' + Include only 3DES ciphers and then place RSA ciphers last: openssl ciphers -v '3DES:+RSA' -- 2.25.1