On Tue, Oct 22, 2019 at 05:37:14PM -0400, J Doe wrote:
> > On Oct 22, 2019, at 1:18 AM, Viktor Dukhovni <[hidden email]> wrote:
> > $ openssl ciphers -stdname -s -tls1 -V AES256-SHA
> > 0x00,0x35 - TLS_RSA_WITH_AES_256_CBC_SHA - AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
> Ah, cool - I did not realize I could use the openssl command to “translate”
> the string that way.
> I see the AES mode, now, but I still can’t see whether DH/DHE/ECDHE was
> used for negotiation (or am I missing that in the output) ?
You see them not used. Kx=RSA. See ciphers(1):
-v Verbose output: For each cipher suite, list details as provided by
SSL_CIPHER_get_kx_nid() returns the key exchange NID corresponding to
the method used by c. If there is no key exchange, then NID_undef is
returned. If any appropriate key exchange algorithm can be used (as in
the case of TLS 1.3 cipher suites) NID_kx_any is returned. Examples
The string returned by SSL_CIPHER_description() consists of several
fields separated by whitespace:
Textual representation of the cipher name.
The minimum protocol version that the ciphersuite supports, such as
TLSv1.2. Note that this is not always the same as the protocol
version in which the ciphersuite was first defined because some
ciphersuites are backwards compatible with earlier protocol
Key exchange method such as RSA, ECDHE, etc.
Authentication method such as RSA, None, etc.. None is the
representation of anonymous ciphers.
Enc=<symmetric encryption method>
Encryption method, with number of secret bits, such as AESGCM(128).
Mac=<message authentication code>
Message digest, such as SHA256.
Some examples for the output of SSL_CIPHER_description():
Thank you for sending this - for some reason, I had it in my mind that key distribution was only via DH/DHE/ECDHE and I completely forgot about RSA (as well as a couple of others, which are also helpfully displayed in the TLS article on Wikipedia).