=head1 NAME
+openssl-ciphers,
ciphers - SSL cipher display and cipher list tool
=head1 SYNOPSIS
[B<-tls1>]
[B<-tls1_1>]
[B<-tls1_2>]
+[B<-tls1_3>]
[B<-s>]
[B<-psk>]
[B<-srp>]
[B<-stdname>]
+[B<-convert name>]
+[B<-ciphersuites val>]
[B<cipherlist>]
=head1 DESCRIPTION
SSL cipher preference lists. It can be used as a test tool to determine
the appropriate cipherlist.
-=head1 COMMAND OPTIONS
+=head1 OPTIONS
=over 4
=item B<-v>
-Verbose output: For each ciphersuite, list details as provided by
+Verbose output: For each cipher suite, list details as provided by
L<SSL_CIPHER_description(3)>.
=item B<-V>
Like B<-v>, but include the official cipher suite values in hex.
-=item B<-tls1_2>
+=item B<-tls1_3>, B<-tls1_2>, B<-tls1_1>, B<-tls1>, B<-ssl3>
-In combination with the B<-s> option, list the ciphers which would be used if
-TLSv1.2 were negotiated.
+In combination with the B<-s> option, list the ciphers which could be used if
+the specified protocol were negotiated.
+Note that not all protocols and flags may be available, depending on how
+OpenSSL was built.
-=item B<-ssl3>
-
-In combination with the B<-s> option, list the ciphers which would be used if
-SSLv3 were negotiated.
+=item B<-stdname>
-=item B<-tls1>
+Precede each cipher suite by its standard name.
-In combination with the B<-s> option, list the ciphers which would be used if
-TLSv1 were negotiated.
+=item B<-convert name>
-=item B<-tls1_1>
+Convert a standard cipher B<name> to its OpenSSL name.
-In combination with the B<-s> option, list the ciphers which would be used if
-TLSv1.1 were negotiated.
+=item B<-ciphersuites val>
-=item B<-stdname>
+Sets the list of TLSv1.3 ciphersuites. This list will be combined with any
+TLSv1.2 and below ciphersuites that have been configured. The format for this
+list is a simple colon (":") separated list of TLSv1.3 ciphersuite names. By
+default this value is:
-precede each ciphersuite by its standard name: only available is OpenSSL
-is built with tracing enabled (B<enable-ssl-trace> argument to Configure).
+ TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
=item B<cipherlist>
-a cipher list to convert to a cipher preference list. If it is not included
-then the default cipher list will be used. The format is described below.
+A cipher list of TLSv1.2 and below ciphersuites to convert to a cipher
+preference list. This list will be combined with any TLSv1.3 ciphersuites that
+have been configured. If it is not included then the default cipher list will be
+used. The format is described below.
=back
cipher list in order of encryption algorithm key length.
The cipher string B<@SECLEVEL=n> can be used at any point to set the security
-level to B<n>.
+level to B<n>, which should be a number between zero and five, inclusive.
+See L<SSL_CTX_set_security_level> for a description of what each level means.
+
+The cipher list can be prefixed with the B<DEFAULT> keyword, which enables
+the default cipher list as defined below. Unlike cipher strings,
+this prefix may not be combined with other strings using B<+> character.
+For example, B<DEFAULT+DES> is not valid.
+
+The content of the default list is determined at compile time and normally
+corresponds to B<ALL:!COMPLEMENTOFDEFAULT:!eNULL>.
=head1 CIPHER STRINGS
=over 4
-=item B<DEFAULT>
-
-The default cipher list.
-This is determined at compile time and is normally
-B<ALL:!COMPLEMENTOFDEFAULT:!eNULL>.
-When used, this must be the first cipherstring specified.
-
=item B<COMPLEMENTOFDEFAULT>
The ciphers included in B<ALL>, but not enabled by default. Currently
this includes all RC4 and anonymous ciphers. Note that this rule does
not cover B<eNULL>, which is not included by B<ALL> (use B<COMPLEMENTOFALL> if
-necessary). Note that RC4 based ciphersuites are not built into OpenSSL by
+necessary). Note that RC4 based cipher suites are not built into OpenSSL by
default (see the enable-weak-ssl-ciphers option to Configure).
=item B<ALL>
=item B<HIGH>
-"high" encryption cipher suites. This currently means those with key lengths
+"High" encryption cipher suites. This currently means those with key lengths
larger than 128 bits, and some cipher suites with 128-bit keys.
=item B<MEDIUM>
-"medium" encryption cipher suites, currently some of those using 128 bit
+"Medium" encryption cipher suites, currently some of those using 128 bit
encryption.
=item B<LOW>
-"low" encryption cipher suites, currently those using 64 or 56 bit
+"Low" encryption cipher suites, currently those using 64 or 56 bit
encryption algorithms but excluding export cipher suites. All these
-ciphersuites have been removed as of OpenSSL 1.1.0.
+cipher suites have been removed as of OpenSSL 1.1.0.
=item B<eNULL>, B<NULL>
=item B<kRSA>, B<aRSA>, B<RSA>
-Cipher suites using RSA key exchange, authentication or either respectively.
+Cipher suites using RSA key exchange or authentication. B<RSA> is an alias for
+B<kRSA>.
=item B<kDHr>, B<kDHd>, B<kDH>
=item B<TLSv1.2>, B<TLSv1.0>, B<SSLv3>
-Lists ciphersuites which are only supported in at least TLS v1.2, TLS v1.0 or
+Lists cipher suites which are only supported in at least TLS v1.2, TLS v1.0 or
SSL v3.0 respectively.
-Note: there are no ciphersuites specific to TLS v1.1.
+Note: there are no cipher suites specific to TLS v1.1.
Since this is only the minimum version, if, for example, TLSv1.0 is negotiated
-then both TLSv1.0 and SSLv3.0 ciphersuites are available.
+then both TLSv1.0 and SSLv3.0 cipher suites are available.
Note: these cipher strings B<do not> change the negotiated version of SSL or
TLS, they only affect the list of available cipher suites.
=item B<AESGCM>
-AES in Galois Counter Mode (GCM): these ciphersuites are only supported
+AES in Galois Counter Mode (GCM): these cipher suites are only supported
in TLS v1.2.
=item B<AESCCM>, B<AESCCM8>
AES in Cipher Block Chaining - Message Authentication Mode (CCM): these
-ciphersuites are only supported in TLS v1.2. B<AESCCM> references CCM
+cipher suites are only supported in TLS v1.2. B<AESCCM> references CCM
cipher suites using both 16 and 8 octet Integrity Check Value (ICV)
while B<AESCCM8> only references 8 octet ICV.
+=item B<ARIA128>, B<ARIA256>, B<ARIA>
+
+Cipher suites using 128 bit ARIA, 256 bit ARIA or either 128 or 256 bit
+ARIA.
+
=item B<CAMELLIA128>, B<CAMELLIA256>, B<CAMELLIA>
-cipher suites using 128 bit CAMELLIA, 256 bit CAMELLIA or either 128 or 256 bit
+Cipher suites using 128 bit CAMELLIA, 256 bit CAMELLIA or either 128 or 256 bit
CAMELLIA.
=item B<CHACHA20>
-cipher suites using ChaCha20.
+Cipher suites using ChaCha20.
=item B<3DES>
-cipher suites using triple DES.
+Cipher suites using triple DES.
=item B<DES>
=item B<SHA256>, B<SHA384>
-Ciphersuites using SHA256 or SHA384.
+Cipher suites using SHA256 or SHA384.
=item B<aGOST>
RFC6460.
In particular the supported signature algorithms is reduced to support only
ECDSA and SHA256 or SHA384, only the elliptic curves P-256 and P-384 can be
-used and only the two suite B compliant ciphersuites
+used and only the two suite B compliant cipher suites
(ECDHE-ECDSA-AES128-GCM-SHA256 and ECDHE-ECDSA-AES256-GCM-SHA384) are
permissible.
TLS_DH_anon_WITH_RC4_128_MD5 ADH-RC4-MD5
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA ADH-DES-CBC3-SHA
-=head2 AES ciphersuites from RFC3268, extending TLS v1.0
+=head2 AES cipher suites from RFC3268, extending TLS v1.0
TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA
TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA
TLS_DH_anon_WITH_AES_128_CBC_SHA ADH-AES128-SHA
TLS_DH_anon_WITH_AES_256_CBC_SHA ADH-AES256-SHA
-=head2 Camellia ciphersuites from RFC4132, extending TLS v1.0
+=head2 Camellia cipher suites from RFC4132, extending TLS v1.0
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA CAMELLIA128-SHA
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA CAMELLIA256-SHA
TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA ADH-CAMELLIA128-SHA
TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA ADH-CAMELLIA256-SHA
-=head2 SEED ciphersuites from RFC4162, extending TLS v1.0
+=head2 SEED cipher suites from RFC4162, extending TLS v1.0
TLS_RSA_WITH_SEED_CBC_SHA SEED-SHA
TLS_DH_anon_WITH_SEED_CBC_SHA ADH-SEED-SHA
-=head2 GOST ciphersuites from draft-chudov-cryptopro-cptls, extending TLS v1.0
+=head2 GOST cipher suites from draft-chudov-cryptopro-cptls, extending TLS v1.0
Note: these ciphers require an engine which including GOST cryptographic
algorithms, such as the B<ccgost> engine, included in the OpenSSL distribution.
ECDHE_ECDSA_WITH_AES_128_CCM_8 ECDHE-ECDSA-AES128-CCM8
ECDHE_ECDSA_WITH_AES_256_CCM_8 ECDHE-ECDSA-AES256-CCM8
-=head2 Camellia HMAC-Based ciphersuites from RFC6367, extending TLS v1.2
+=head2 ARIA cipher suites from RFC6209, extending TLS v1.2
+
+Note: the CBC modes mentioned in this RFC are not supported.
+
+ TLS_RSA_WITH_ARIA_128_GCM_SHA256 ARIA128-GCM-SHA256
+ TLS_RSA_WITH_ARIA_256_GCM_SHA384 ARIA256-GCM-SHA384
+ TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 DHE-RSA-ARIA128-GCM-SHA256
+ TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 DHE-RSA-ARIA256-GCM-SHA384
+ TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256 DHE-DSS-ARIA128-GCM-SHA256
+ TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384 DHE-DSS-ARIA256-GCM-SHA384
+ TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 ECDHE-ECDSA-ARIA128-GCM-SHA256
+ TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 ECDHE-ECDSA-ARIA256-GCM-SHA384
+ TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 ECDHE-ARIA128-GCM-SHA256
+ TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 ECDHE-ARIA256-GCM-SHA384
+ TLS_PSK_WITH_ARIA_128_GCM_SHA256 PSK-ARIA128-GCM-SHA256
+ TLS_PSK_WITH_ARIA_256_GCM_SHA384 PSK-ARIA256-GCM-SHA384
+ TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256 DHE-PSK-ARIA128-GCM-SHA256
+ TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384 DHE-PSK-ARIA256-GCM-SHA384
+ TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256 RSA-PSK-ARIA128-GCM-SHA256
+ TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384 RSA-PSK-ARIA256-GCM-SHA384
+
+=head2 Camellia HMAC-Based cipher suites from RFC6367, extending TLS v1.2
TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 ECDHE-ECDSA-CAMELLIA128-SHA256
TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 ECDHE-ECDSA-CAMELLIA256-SHA384
TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 ECDHE-RSA-CAMELLIA128-SHA256
TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 ECDHE-RSA-CAMELLIA256-SHA384
-=head2 Pre-shared keying (PSK) ciphersuites
+=head2 Pre-shared keying (PSK) cipher suites
PSK_WITH_NULL_SHA PSK-NULL-SHA
DHE_PSK_WITH_NULL_SHA DHE-PSK-NULL-SHA
TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 DHE-PSK-CHACHA20-POLY1305
TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 RSA-PSK-CHACHA20-POLY1305
+=head2 TLS v1.3 cipher suites
+
+ TLS_AES_128_GCM_SHA256 TLS_AES_128_GCM_SHA256
+ TLS_AES_256_GCM_SHA384 TLS_AES_256_GCM_SHA384
+ TLS_CHACHA20_POLY1305_SHA256 TLS_CHACHA20_POLY1305_SHA256
+ TLS_AES_128_CCM_SHA256 TLS_AES_128_CCM_SHA256
+ TLS_AES_128_CCM_8_SHA256 TLS_AES_128_CCM_8_SHA256
+
=head2 Older names used by OpenSSL
The following names are accepted by older releases:
=head1 SEE ALSO
-L<s_client(1)>, L<s_server(1)>, L<ssl(3)>
+L<s_client(1)>, L<s_server(1)>, L<ssl(7)>
=head1 HISTORY
The B<-V> option for the B<ciphers> command was added in OpenSSL 1.0.0.
+The B<-stdname> is only available if OpenSSL is built with tracing enabled
+(B<enable-ssl-trace> argument to Configure) before OpenSSL 1.1.1.
+
+The B<-convert> option was added in OpenSSL 1.1.1.
+
=head1 COPYRIGHT
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
-Licensed under the OpenSSL license (the "License"). You may not use
+Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.