-.\" $OpenBSD: openssl.1,v 1.35 2016/07/19 20:02:47 jmc Exp $
+.\" $OpenBSD: openssl.1,v 1.36 2016/07/20 14:42:03 jmc Exp $
.\" ====================================================================
.\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
.\"
.\"
.\" OPENSSL
.\"
-.Dd $Mdocdate: July 19 2016 $
+.Dd $Mdocdate: July 20 2016 $
.Dt OPENSSL 1
.Os
.Sh NAME
The same as
.Fl extensions .
.El
-.\"
-.\" CIPHERS
-.\"
.Sh CIPHERS
.Nm openssl ciphers
.Op Fl hVv
The
.Nm ciphers
command converts
-.Nm OpenSSL
+.Nm openssl
cipher lists into ordered SSL cipher preference lists.
It can be used as a test tool to determine the appropriate cipherlist.
.Pp
.It Fl tls1
Only include TLS v1 ciphers.
.It Fl V
-Like
-.Fl v ,
-but include cipher suite codes in output (hex format).
-.It Fl v
-Verbose option.
+Verbose.
List ciphers with a complete description of protocol version,
-key exchange, authentication, encryption and mac algorithms used along with
-any key size restrictions.
-Note that without the
-.Fl v
-option, ciphers may seem to appear twice in a cipher list.
+key exchange, authentication, encryption and mac algorithms,
+any key size restrictions,
+and cipher suite codes (hex format).
+.It Fl v
+Like
+.Fl V ,
+but without cipher suite codes.
.It Ar cipherlist
A cipher list to convert to a cipher preference list.
If it is not included, the default cipher list will be used.
-The format is described below.
-.El
-.Sh CIPHERS LIST FORMAT
-The cipher list consists of one or more
-.Em cipher strings
+.Pp
+The cipher list consists of one or more cipher strings
separated by colons.
Commas or spaces are also acceptable separators, but colons are normally used.
.Pp
-The actual
-.Em cipher string
-can take several different forms:
+The actual cipher string can take several different forms:
.Pp
-It can consist of a single cipher suite such as
-.Em RC4-SHA .
+It can consist of a single cipher suite, such as RC4-SHA.
.Pp
It can represent a list of cipher suites containing a certain algorithm,
or cipher suites of a certain type.
-For example
-.Em SHA1
-represents all cipher suites using the digest algorithm SHA1.
+For example SHA1 represents all cipher suites using the digest algorithm SHA1.
.Pp
-Lists of cipher suites can be combined in a single
-.Em cipher string
-using the
+Lists of cipher suites can be combined in a single cipher string using the
.Sq +
-character.
-This is used as a logical
-.Em and
-operation.
-For example,
-.Em SHA1+DES
-represents all cipher suites containing the SHA1 and the DES algorithms.
+character
+(logical AND operation).
+For example, SHA1+DES represents all cipher suites
+containing the SHA1 and DES algorithms.
.Pp
Each cipher string can be optionally preceded by the characters
.Sq \&! ,
.Sq - ,
or
.Sq + .
-.Pp
If
.Sq !\&
is used, then the ciphers are permanently deleted from the list.
The ciphers deleted can never reappear in the list even if they are
explicitly stated.
-.Pp
If
.Sq -
is used, then the ciphers are deleted from the list, but some or
all of the ciphers can be added again by later options.
-.Pp
If
.Sq +
is used, then the ciphers are moved to the end of the list.
that is, they will not be moved to the end of the list.
.Pp
Additionally, the cipher string
-.Em @STRENGTH
+.Cm @STRENGTH
can be used at any point to sort the current cipher list in order of
encryption algorithm key length.
-.Sh CIPHERS STRINGS
+.El
+.Pp
The following is a list of all permitted cipher strings and their meanings.
.Bl -tag -width "XXXX"
-.It Ar DEFAULT
+.It Cm DEFAULT
The default cipher list.
This is determined at compile time and is currently
-.Ar ALL:!aNULL:!eNULL:!SSLv2 .
-This must be the first
-.Ar cipher string
-specified.
-.It Ar COMPLEMENTOFDEFAULT
+.Cm ALL:!aNULL:!eNULL:!SSLv2 .
+This must be the first cipher string specified.
+.It Cm COMPLEMENTOFDEFAULT
The ciphers included in
-.Ar ALL ,
+.Cm ALL ,
but not enabled by default.
Currently this is
-.Ar ADH .
+.Cm ADH .
Note that this rule does not cover
-.Ar eNULL ,
+.Cm eNULL ,
which is not included by
-.Ar ALL
+.Cm ALL
(use
-.Ar COMPLEMENTOFALL
+.Cm COMPLEMENTOFALL
if necessary).
-.It Ar ALL
+.It Cm ALL
All cipher suites except the
-.Ar eNULL
-ciphers which must be explicitly enabled.
-.It Ar COMPLEMENTOFALL
+.Cm eNULL
+ciphers, which must be explicitly enabled.
+.It Cm COMPLEMENTOFALL
The cipher suites not enabled by
-.Ar ALL ,
+.Cm ALL ,
currently being
-.Ar eNULL .
-.It Ar HIGH
+.Cm eNULL .
+.It Cm HIGH
.Qq High
encryption cipher suites.
This currently means those with key lengths larger than 128 bits.
-.It Ar MEDIUM
+.It Cm MEDIUM
.Qq Medium
encryption cipher suites, currently those using 128-bit encryption.
-.It Ar LOW
+.It Cm LOW
.Qq Low
encryption cipher suites, currently those using 64- or 56-bit encryption
algorithms.
-.It Ar eNULL , NULL
+.It Cm eNULL , NULL
The
.Qq NULL
ciphers; that is, those offering no encryption.
Because these offer no encryption at all and are a security risk,
they are disabled unless explicitly included.
-.It Ar aNULL
+.It Cm aNULL
The cipher suites offering no authentication.
This is currently the anonymous DH algorithms.
These cipher suites are vulnerable to a
.Qq man in the middle
attack, so their use is normally discouraged.
-.It Ar kRSA , RSA
+.It Cm kRSA , RSA
Cipher suites using RSA key exchange.
-.It Ar kEDH
+.It Cm kEDH
Cipher suites using ephemeral DH key agreement.
-.It Ar aRSA
+.It Cm aRSA
Cipher suites using RSA authentication, i.e. the certificates carry RSA keys.
-.It Ar aDSS , DSS
+.It Cm aDSS , DSS
Cipher suites using DSS authentication, i.e. the certificates carry DSS keys.
-.It Ar TLSv1
+.It Cm TLSv1
TLS v1.0 cipher suites.
-.It Ar DH
+.It Cm DH
Cipher suites using DH, including anonymous DH.
-.It Ar ADH
+.It Cm ADH
Anonymous DH cipher suites.
-.It Ar AES
+.It Cm AES
Cipher suites using AES.
-.It Ar 3DES
+.It Cm 3DES
Cipher suites using triple DES.
-.It Ar DES
+.It Cm DES
Cipher suites using DES
.Pq not triple DES .
-.It Ar RC4
+.It Cm RC4
Cipher suites using RC4.
-.It Ar CAMELLIA
+.It Cm CAMELLIA
Cipher suites using Camellia.
-.It Ar CHACHA20
+.It Cm CHACHA20
Cipher suites using ChaCha20.
-.It Ar IDEA
+.It Cm IDEA
Cipher suites using IDEA.
-.It Ar MD5
+.It Cm MD5
Cipher suites using MD5.
-.It Ar SHA1 , SHA
+.It Cm SHA1 , SHA
Cipher suites using SHA1.
.El
-.Sh CIPHERS EXAMPLES
-Verbose listing of all
-.Nm OpenSSL
-ciphers including NULL ciphers:
-.Pp
-.Dl $ openssl ciphers -v 'ALL:eNULL'
-.Pp
-Include all ciphers except NULL and anonymous DH then sort by
-strength:
-.Pp
-.Dl $ openssl ciphers -v 'ALL:!ADH:@STRENGTH'
-.Pp
-Include only 3DES ciphers and then place RSA ciphers last:
-.Pp
-.Dl $ openssl ciphers -v '3DES:+RSA'
-.Pp
-Include all RC4 ciphers but leave out those without authentication:
-.Pp
-.Dl $ openssl ciphers -v 'RC4:!COMPLEMENTOFDEFAULT'
-.Pp
-Include all ciphers with RSA authentication but leave out ciphers without
-encryption:
-.Pp
-.Dl $ openssl ciphers -v 'RSA:!COMPLEMENTOFALL'
.\"
.\" CRL
.\"
projects / openbsd / commitdiff