LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   How do you change cipher list order with openssl cipher command? (https://www.linuxquestions.org/questions/linux-security-4/how-do-you-change-cipher-list-order-with-openssl-cipher-command-4175454532/)

markseger 03-18-2013 10:39 AM
How do you change cipher list order with openssl cipher command?
 
I just discovered this and according to what I'm reading you can use this to change the order a client requests ciphers in.

After displaying the current order of my cipher list with the command

Code:
ubuntu@server-1359495587-az-2-region-a-geo-1:~$ openssl ciphers
I finally figured out the syntax to change the cipher order, at least I think I did because until I put a space after the plus sigh, I got errors:

Code:
ubuntu@server-1359495587-az-2-region-a-geo-1:~$ openssl ciphers + ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
but after I run the command the cipher list order is still the same. can someone help and/or clarify exactly what the point of this command is? maybe I've misunderstood what it does

-mark

acid_kewpie 03-20-2013 04:45 AM
the + there is doing nothing at all. What you're doing there is asking for a list of ciphers that match "ECDHE-RSA-AES256-GCM-SHA384" which is obviously just one. Compared to...

Code:
openssl ciphers MD5
ADH-RC4-MD5:EXP-ADH-RC4-MD5:EXP-RC2-CBC-MD5:RC4-MD5:EXP-RC4-MD5:NULL-MD5:DES-CBC3-MD5:DES-CBC-MD5:EXP-RC2-CBC-MD5:RC2-CBC-MD5:EXP-RC4-MD5:RC4-MD5
which lists all ciphers using MD5, and also...

Code:
openssl ciphers MD5+3DES
DES-CBC3-MD5
listing all ciphers with MD5 and 3DES.

you can't change the default order of those ciphers, you arrange your preferred cipher list as you see fit:

Code:
openssl ciphers HIGH:MEDIUM
ADH-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:ADH-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:ADH-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DES-CBC3-MD5:ADH-RC4-MD5:RC4-SHA:RC4-MD5:RC2-CBC-MD5:RC4-MD5

openssl ciphers MEDIUM:HIGH
ADH-RC4-MD5:RC4-SHA:RC4-MD5:RC2-CBC-MD5:RC4-MD5:ADH-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:ADH-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:ADH-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DES-CBC3-MD5
So you can see there the order is different as the matching terms are in a different order.


All times are GMT -5. The time now is 02:22 AM.