aboutsummaryrefslogtreecommitdiff
path: root/secure/usr.bin/openssl/man/ciphers.1
diff options
context:
space:
mode:
Diffstat (limited to 'secure/usr.bin/openssl/man/ciphers.1')
-rw-r--r--secure/usr.bin/openssl/man/ciphers.1271
1 files changed, 213 insertions, 58 deletions
diff --git a/secure/usr.bin/openssl/man/ciphers.1 b/secure/usr.bin/openssl/man/ciphers.1
index 9124ed3310bd..1ab01ba81755 100644
--- a/secure/usr.bin/openssl/man/ciphers.1
+++ b/secure/usr.bin/openssl/man/ciphers.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
.\"
.\" Standard preamble:
.\" ========================================================================
@@ -38,6 +38,8 @@
. ds PI \(*p
. ds L" ``
. ds R" ''
+. ds C`
+. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
-.ie \nF \{\
-. de IX
-. tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
..
-. nr % 0
-. rr F
-.\}
-.el \{\
-. de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+. if \nF \{
+. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
..
+. if !\nF==2 \{
+. nr % 0
+. nr F 2
+. \}
+. \}
.\}
+.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
@@ -124,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "CIPHERS 1"
-.TH CIPHERS 1 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH CIPHERS 1 "2015-01-15" "1.0.1l" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
@@ -158,7 +167,7 @@ in a cipher list; this is when similar ciphers are available for
\&\s-1SSL\s0 v2 and for \s-1SSL\s0 v3/TLS v1.
.IP "\fB\-V\fR" 4
.IX Item "-V"
-Like \fB\-V\fR, but include cipher suite codes in output (hex format).
+Like \fB\-v\fR, but include cipher suite codes in output (hex format).
.IP "\fB\-ssl3\fR" 4
.IX Item "-ssl3"
only include \s-1SSL\s0 v3 ciphers.
@@ -191,7 +200,7 @@ algorithms.
.PP
Lists of cipher suites can be combined in a single cipher string using the
\&\fB+\fR character. This is used as a logical \fBand\fR operation. For example
-\&\fB\s-1SHA1+DES\s0\fR represents all cipher suites containing the \s-1SHA1\s0 \fBand\fR the \s-1DES\s0
+\&\fB\s-1SHA1+DES\s0\fR represents all cipher suites containing the \s-1SHA1 \s0\fBand\fR the \s-1DES\s0
algorithms.
.PP
Each cipher string can be optionally preceded by the characters \fB!\fR,
@@ -225,8 +234,8 @@ specified.
.IP "\fB\s-1COMPLEMENTOFDEFAULT\s0\fR" 4
.IX Item "COMPLEMENTOFDEFAULT"
the ciphers included in \fB\s-1ALL\s0\fR, but not enabled by default. Currently
-this is \fB\s-1ADH\s0\fR. Note that this rule does not cover \fBeNULL\fR, which is
-not included by \fB\s-1ALL\s0\fR (use \fB\s-1COMPLEMENTOFALL\s0\fR if necessary).
+this is \fB\s-1ADH\s0\fR and \fB\s-1AECDH\s0\fR. Note that this rule does not cover \fBeNULL\fR,
+which is not included by \fB\s-1ALL\s0\fR (use \fB\s-1COMPLEMENTOFALL\s0\fR if necessary).
.IP "\fB\s-1ALL\s0\fR" 4
.IX Item "ALL"
all cipher suites except the \fBeNULL\fR ciphers which must be explicitly enabled;
@@ -258,24 +267,53 @@ export encryption algorithms. Including 40 and 56 bits algorithms.
with support for experimental ciphers.
.IP "\fBeNULL\fR, \fB\s-1NULL\s0\fR" 4
.IX Item "eNULL, NULL"
-the \*(L"\s-1NULL\s0\*(R" ciphers that is those offering no encryption. Because these offer no
+the \*(L"\s-1NULL\*(R"\s0 ciphers that is those offering no encryption. Because these offer no
encryption at all and are a security risk they are disabled unless explicitly
included.
.IP "\fBaNULL\fR" 4
.IX Item "aNULL"
the cipher suites offering no authentication. This is currently the anonymous
-\&\s-1DH\s0 algorithms. These cipher suites are vulnerable to a \*(L"man in the middle\*(R"
-attack and so their use is normally discouraged.
+\&\s-1DH\s0 algorithms and anonymous \s-1ECDH\s0 algorithms. These cipher suites are vulnerable
+to a \*(L"man in the middle\*(R" attack and so their use is normally discouraged.
.IP "\fBkRSA\fR, \fB\s-1RSA\s0\fR" 4
.IX Item "kRSA, RSA"
cipher suites using \s-1RSA\s0 key exchange.
+.IP "\fBkDHr\fR, \fBkDHd\fR, \fBkDH\fR" 4
+.IX Item "kDHr, kDHd, kDH"
+cipher suites using \s-1DH\s0 key agreement and \s-1DH\s0 certificates signed by CAs with \s-1RSA\s0
+and \s-1DSS\s0 keys or either respectively. Not implemented.
.IP "\fBkEDH\fR" 4
.IX Item "kEDH"
-cipher suites using ephemeral \s-1DH\s0 key agreement.
-.IP "\fBkDHr\fR, \fBkDHd\fR" 4
-.IX Item "kDHr, kDHd"
-cipher suites using \s-1DH\s0 key agreement and \s-1DH\s0 certificates signed by CAs with \s-1RSA\s0
-and \s-1DSS\s0 keys respectively. Not implemented.
+cipher suites using ephemeral \s-1DH\s0 key agreement, including anonymous cipher
+suites.
+.IP "\fB\s-1EDH\s0\fR" 4
+.IX Item "EDH"
+cipher suites using authenticated ephemeral \s-1DH\s0 key agreement.
+.IP "\fB\s-1ADH\s0\fR" 4
+.IX Item "ADH"
+anonymous \s-1DH\s0 cipher suites, note that this does not include anonymous Elliptic
+Curve \s-1DH \s0(\s-1ECDH\s0) cipher suites.
+.IP "\fB\s-1DH\s0\fR" 4
+.IX Item "DH"
+cipher suites using \s-1DH,\s0 including anonymous \s-1DH,\s0 ephemeral \s-1DH\s0 and fixed \s-1DH.\s0
+.IP "\fBkECDHr\fR, \fBkECDHe\fR, \fBkECDH\fR" 4
+.IX Item "kECDHr, kECDHe, kECDH"
+cipher suites using fixed \s-1ECDH\s0 key agreement signed by CAs with \s-1RSA\s0 and \s-1ECDSA\s0
+keys or either respectively.
+.IP "\fBkEECDH\fR" 4
+.IX Item "kEECDH"
+cipher suites using ephemeral \s-1ECDH\s0 key agreement, including anonymous
+cipher suites.
+.IP "\fB\s-1EECDHE\s0\fR" 4
+.IX Item "EECDHE"
+cipher suites using authenticated ephemeral \s-1ECDH\s0 key agreement.
+.IP "\fB\s-1AECDH\s0\fR" 4
+.IX Item "AECDH"
+anonymous Elliptic Curve Diffie Hellman cipher suites.
+.IP "\fB\s-1ECDH\s0\fR" 4
+.IX Item "ECDH"
+cipher suites using \s-1ECDH\s0 key exchange, including anonymous, ephemeral and
+fixed \s-1ECDH.\s0
.IP "\fBaRSA\fR" 4
.IX Item "aRSA"
cipher suites using \s-1RSA\s0 authentication, i.e. the certificates carry \s-1RSA\s0 keys.
@@ -286,75 +324,89 @@ cipher suites using \s-1DSS\s0 authentication, i.e. the certificates carry \s-1D
.IX Item "aDH"
cipher suites effectively using \s-1DH\s0 authentication, i.e. the certificates carry
\&\s-1DH\s0 keys. Not implemented.
+.IP "\fBaECDH\fR" 4
+.IX Item "aECDH"
+cipher suites effectively using \s-1ECDH\s0 authentication, i.e. the certificates
+carry \s-1ECDH\s0 keys.
+.IP "\fBaECDSA\fR, \fB\s-1ECDSA\s0\fR" 4
+.IX Item "aECDSA, ECDSA"
+cipher suites using \s-1ECDSA\s0 authentication, i.e. the certificates carry \s-1ECDSA\s0
+keys.
.IP "\fBkFZA\fR, \fBaFZA\fR, \fBeFZA\fR, \fB\s-1FZA\s0\fR" 4
.IX Item "kFZA, aFZA, eFZA, FZA"
ciphers suites using \s-1FORTEZZA\s0 key exchange, authentication, encryption or all
\&\s-1FORTEZZA\s0 algorithms. Not implemented.
-.IP "\fBTLSv1\fR, \fBSSLv3\fR, \fBSSLv2\fR" 4
-.IX Item "TLSv1, SSLv3, SSLv2"
-\&\s-1TLS\s0 v1.0, \s-1SSL\s0 v3.0 or \s-1SSL\s0 v2.0 cipher suites respectively.
-.IP "\fB\s-1DH\s0\fR" 4
-.IX Item "DH"
-cipher suites using \s-1DH\s0, including anonymous \s-1DH\s0.
-.IP "\fB\s-1ADH\s0\fR" 4
-.IX Item "ADH"
-anonymous \s-1DH\s0 cipher suites.
-.IP "\fB\s-1AES\s0\fR" 4
-.IX Item "AES"
-cipher suites using \s-1AES\s0.
-.IP "\fB\s-1CAMELLIA\s0\fR" 4
-.IX Item "CAMELLIA"
-cipher suites using Camellia.
+.IP "\fBTLSv1.2\fR, \fBTLSv1\fR, \fBSSLv3\fR, \fBSSLv2\fR" 4
+.IX Item "TLSv1.2, TLSv1, SSLv3, SSLv2"
+\&\s-1TLS\s0 v1.2, \s-1TLS\s0 v1.0, \s-1SSL\s0 v3.0 or \s-1SSL\s0 v2.0 cipher suites respectively. Note:
+there are no ciphersuites specific to \s-1TLS\s0 v1.1.
+.IP "\fB\s-1AES128\s0\fR, \fB\s-1AES256\s0\fR, \fB\s-1AES\s0\fR" 4
+.IX Item "AES128, AES256, AES"
+cipher suites using 128 bit \s-1AES, 256\s0 bit \s-1AES\s0 or either 128 or 256 bit \s-1AES.\s0
+.IP "\fB\s-1AESGCM\s0\fR" 4
+.IX Item "AESGCM"
+\&\s-1AES\s0 in Galois Counter Mode (\s-1GCM\s0): these ciphersuites are only supported
+in \s-1TLS\s0 v1.2.
+.IP "\fB\s-1CAMELLIA128\s0\fR, \fB\s-1CAMELLIA256\s0\fR, \fB\s-1CAMELLIA\s0\fR" 4
+.IX Item "CAMELLIA128, CAMELLIA256, CAMELLIA"
+cipher suites using 128 bit \s-1CAMELLIA, 256\s0 bit \s-1CAMELLIA\s0 or either 128 or 256 bit
+\&\s-1CAMELLIA.\s0
.IP "\fB3DES\fR" 4
.IX Item "3DES"
-cipher suites using triple \s-1DES\s0.
+cipher suites using triple \s-1DES.\s0
.IP "\fB\s-1DES\s0\fR" 4
.IX Item "DES"
-cipher suites using \s-1DES\s0 (not triple \s-1DES\s0).
+cipher suites using \s-1DES \s0(not triple \s-1DES\s0).
.IP "\fB\s-1RC4\s0\fR" 4
.IX Item "RC4"
-cipher suites using \s-1RC4\s0.
+cipher suites using \s-1RC4.\s0
.IP "\fB\s-1RC2\s0\fR" 4
.IX Item "RC2"
-cipher suites using \s-1RC2\s0.
+cipher suites using \s-1RC2.\s0
.IP "\fB\s-1IDEA\s0\fR" 4
.IX Item "IDEA"
-cipher suites using \s-1IDEA\s0.
+cipher suites using \s-1IDEA.\s0
.IP "\fB\s-1SEED\s0\fR" 4
.IX Item "SEED"
-cipher suites using \s-1SEED\s0.
+cipher suites using \s-1SEED.\s0
.IP "\fB\s-1MD5\s0\fR" 4
.IX Item "MD5"
-cipher suites using \s-1MD5\s0.
+cipher suites using \s-1MD5.\s0
.IP "\fB\s-1SHA1\s0\fR, \fB\s-1SHA\s0\fR" 4
.IX Item "SHA1, SHA"
-cipher suites using \s-1SHA1\s0.
+cipher suites using \s-1SHA1.\s0
+.IP "\fB\s-1SHA256\s0\fR, \fB\s-1SHA384\s0\fR" 4
+.IX Item "SHA256, SHA384"
+ciphersuites using \s-1SHA256\s0 or \s-1SHA384.\s0
.IP "\fBaGOST\fR" 4
.IX Item "aGOST"
-cipher suites using \s-1GOST\s0 R 34.10 (either 2001 or 94) for authenticaction
+cipher suites using \s-1GOST R 34.10 \s0(either 2001 or 94) for authenticaction
(needs an engine supporting \s-1GOST\s0 algorithms).
.IP "\fBaGOST01\fR" 4
.IX Item "aGOST01"
-cipher suites using \s-1GOST\s0 R 34.10\-2001 authentication.
+cipher suites using \s-1GOST R 34.10\-2001\s0 authentication.
.IP "\fBaGOST94\fR" 4
.IX Item "aGOST94"
-cipher suites using \s-1GOST\s0 R 34.10\-94 authentication (note that R 34.10\-94
-standard has been expired so use \s-1GOST\s0 R 34.10\-2001)
+cipher suites using \s-1GOST R 34.10\-94\s0 authentication (note that R 34.10\-94
+standard has been expired so use \s-1GOST R 34.10\-2001\s0)
.IP "\fBkGOST\fR" 4
.IX Item "kGOST"
-cipher suites, using \s-1VKO\s0 34.10 key exchange, specified in the \s-1RFC\s0 4357.
+cipher suites, using \s-1VKO 34.10\s0 key exchange, specified in the \s-1RFC 4357.\s0
.IP "\fB\s-1GOST94\s0\fR" 4
.IX Item "GOST94"
-cipher suites, using \s-1HMAC\s0 based on \s-1GOST\s0 R 34.11\-94.
+cipher suites, using \s-1HMAC\s0 based on \s-1GOST R 34.11\-94.\s0
.IP "\fB\s-1GOST89MAC\s0\fR" 4
.IX Item "GOST89MAC"
-cipher suites using \s-1GOST\s0 28147\-89 \s-1MAC\s0 \fBinstead of\fR \s-1HMAC\s0.
+cipher suites using \s-1GOST 28147\-89 MAC \s0\fBinstead of\fR \s-1HMAC.\s0
+.IP "\fB\s-1PSK\s0\fR" 4
+.IX Item "PSK"
+cipher suites using pre-shared keys (\s-1PSK\s0).
.SH "CIPHER SUITE NAMES"
.IX Header "CIPHER SUITE NAMES"
The following lists give the \s-1SSL\s0 or \s-1TLS\s0 cipher suites names from the
relevant specification and their OpenSSL equivalents. It should be noted,
that several cipher suite names do not include the authentication used,
-e.g. \s-1DES\-CBC3\-SHA\s0. In these cases, \s-1RSA\s0 authentication is used.
+e.g. \s-1DES\-CBC3\-SHA.\s0 In these cases, \s-1RSA\s0 authentication is used.
.SS "\s-1SSL\s0 v3.0 cipher suites."
.IX Subsection "SSL v3.0 cipher suites."
.Vb 10
@@ -425,7 +477,7 @@ e.g. \s-1DES\-CBC3\-SHA\s0. In these cases, \s-1RSA\s0 authentication is used.
\& TLS_DH_anon_WITH_DES_CBC_SHA ADH\-DES\-CBC\-SHA
\& TLS_DH_anon_WITH_3DES_EDE_CBC_SHA ADH\-DES\-CBC3\-SHA
.Ve
-.SS "\s-1AES\s0 ciphersuites from \s-1RFC3268\s0, extending \s-1TLS\s0 v1.0"
+.SS "\s-1AES\s0 ciphersuites from \s-1RFC3268,\s0 extending \s-1TLS\s0 v1.0"
.IX Subsection "AES ciphersuites from RFC3268, extending TLS v1.0"
.Vb 2
\& TLS_RSA_WITH_AES_128_CBC_SHA AES128\-SHA
@@ -444,7 +496,7 @@ e.g. \s-1DES\-CBC3\-SHA\s0. In these cases, \s-1RSA\s0 authentication is used.
\& TLS_DH_anon_WITH_AES_128_CBC_SHA ADH\-AES128\-SHA
\& TLS_DH_anon_WITH_AES_256_CBC_SHA ADH\-AES256\-SHA
.Ve
-.SS "Camellia ciphersuites from \s-1RFC4132\s0, extending \s-1TLS\s0 v1.0"
+.SS "Camellia ciphersuites from \s-1RFC4132,\s0 extending \s-1TLS\s0 v1.0"
.IX Subsection "Camellia ciphersuites from RFC4132, extending TLS v1.0"
.Vb 2
\& TLS_RSA_WITH_CAMELLIA_128_CBC_SHA CAMELLIA128\-SHA
@@ -463,7 +515,7 @@ e.g. \s-1DES\-CBC3\-SHA\s0. In these cases, \s-1RSA\s0 authentication is used.
\& TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA ADH\-CAMELLIA128\-SHA
\& TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA ADH\-CAMELLIA256\-SHA
.Ve
-.SS "\s-1SEED\s0 ciphersuites from \s-1RFC4162\s0, extending \s-1TLS\s0 v1.0"
+.SS "\s-1SEED\s0 ciphersuites from \s-1RFC4162,\s0 extending \s-1TLS\s0 v1.0"
.IX Subsection "SEED ciphersuites from RFC4162, extending TLS v1.0"
.Vb 1
\& TLS_RSA_WITH_SEED_CBC_SHA SEED\-SHA
@@ -498,8 +550,104 @@ Note: these ciphers can also be used in \s-1SSL\s0 v3.
\& TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA EXP1024\-DHE\-DSS\-RC4\-SHA
\& TLS_DHE_DSS_WITH_RC4_128_SHA DHE\-DSS\-RC4\-SHA
.Ve
-.SS "\s-1SSL\s0 v2.0 cipher suites."
-.IX Subsection "SSL v2.0 cipher suites."
+.SS "Elliptic curve cipher suites."
+.IX Subsection "Elliptic curve cipher suites."
+.Vb 5
+\& TLS_ECDH_RSA_WITH_NULL_SHA ECDH\-RSA\-NULL\-SHA
+\& TLS_ECDH_RSA_WITH_RC4_128_SHA ECDH\-RSA\-RC4\-SHA
+\& TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA ECDH\-RSA\-DES\-CBC3\-SHA
+\& TLS_ECDH_RSA_WITH_AES_128_CBC_SHA ECDH\-RSA\-AES128\-SHA
+\& TLS_ECDH_RSA_WITH_AES_256_CBC_SHA ECDH\-RSA\-AES256\-SHA
+\&
+\& TLS_ECDH_ECDSA_WITH_NULL_SHA ECDH\-ECDSA\-NULL\-SHA
+\& TLS_ECDH_ECDSA_WITH_RC4_128_SHA ECDH\-ECDSA\-RC4\-SHA
+\& TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA ECDH\-ECDSA\-DES\-CBC3\-SHA
+\& TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA ECDH\-ECDSA\-AES128\-SHA
+\& TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA ECDH\-ECDSA\-AES256\-SHA
+\&
+\& TLS_ECDHE_RSA_WITH_NULL_SHA ECDHE\-RSA\-NULL\-SHA
+\& TLS_ECDHE_RSA_WITH_RC4_128_SHA ECDHE\-RSA\-RC4\-SHA
+\& TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA ECDHE\-RSA\-DES\-CBC3\-SHA
+\& TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDHE\-RSA\-AES128\-SHA
+\& TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDHE\-RSA\-AES256\-SHA
+\&
+\& TLS_ECDHE_ECDSA_WITH_NULL_SHA ECDHE\-ECDSA\-NULL\-SHA
+\& TLS_ECDHE_ECDSA_WITH_RC4_128_SHA ECDHE\-ECDSA\-RC4\-SHA
+\& TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA ECDHE\-ECDSA\-DES\-CBC3\-SHA
+\& TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA ECDHE\-ECDSA\-AES128\-SHA
+\& TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ECDHE\-ECDSA\-AES256\-SHA
+\&
+\& TLS_ECDH_anon_WITH_NULL_SHA AECDH\-NULL\-SHA
+\& TLS_ECDH_anon_WITH_RC4_128_SHA AECDH\-RC4\-SHA
+\& TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA AECDH\-DES\-CBC3\-SHA
+\& TLS_ECDH_anon_WITH_AES_128_CBC_SHA AECDH\-AES128\-SHA
+\& TLS_ECDH_anon_WITH_AES_256_CBC_SHA AECDH\-AES256\-SHA
+.Ve
+.SS "\s-1TLS\s0 v1.2 cipher suites"
+.IX Subsection "TLS v1.2 cipher suites"
+.Vb 1
+\& TLS_RSA_WITH_NULL_SHA256 NULL\-SHA256
+\&
+\& TLS_RSA_WITH_AES_128_CBC_SHA256 AES128\-SHA256
+\& TLS_RSA_WITH_AES_256_CBC_SHA256 AES256\-SHA256
+\& TLS_RSA_WITH_AES_128_GCM_SHA256 AES128\-GCM\-SHA256
+\& TLS_RSA_WITH_AES_256_GCM_SHA384 AES256\-GCM\-SHA384
+\&
+\& TLS_DH_RSA_WITH_AES_128_CBC_SHA256 Not implemented.
+\& TLS_DH_RSA_WITH_AES_256_CBC_SHA256 Not implemented.
+\& TLS_DH_RSA_WITH_AES_128_GCM_SHA256 Not implemented.
+\& TLS_DH_RSA_WITH_AES_256_GCM_SHA384 Not implemented.
+\&
+\& TLS_DH_DSS_WITH_AES_128_CBC_SHA256 Not implemented.
+\& TLS_DH_DSS_WITH_AES_256_CBC_SHA256 Not implemented.
+\& TLS_DH_DSS_WITH_AES_128_GCM_SHA256 Not implemented.
+\& TLS_DH_DSS_WITH_AES_256_GCM_SHA384 Not implemented.
+\&
+\& TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 DHE\-RSA\-AES128\-SHA256
+\& TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 DHE\-RSA\-AES256\-SHA256
+\& TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 DHE\-RSA\-AES128\-GCM\-SHA256
+\& TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 DHE\-RSA\-AES256\-GCM\-SHA384
+\&
+\& TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 DHE\-DSS\-AES128\-SHA256
+\& TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 DHE\-DSS\-AES256\-SHA256
+\& TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 DHE\-DSS\-AES128\-GCM\-SHA256
+\& TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 DHE\-DSS\-AES256\-GCM\-SHA384
+\&
+\& TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 ECDH\-RSA\-AES128\-SHA256
+\& TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 ECDH\-RSA\-AES256\-SHA384
+\& TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 ECDH\-RSA\-AES128\-GCM\-SHA256
+\& TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 ECDH\-RSA\-AES256\-GCM\-SHA384
+\&
+\& TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 ECDH\-ECDSA\-AES128\-SHA256
+\& TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 ECDH\-ECDSA\-AES256\-SHA384
+\& TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 ECDH\-ECDSA\-AES128\-GCM\-SHA256
+\& TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 ECDH\-ECDSA\-AES256\-GCM\-SHA384
+\&
+\& TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ECDHE\-RSA\-AES128\-SHA256
+\& TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDHE\-RSA\-AES256\-SHA384
+\& TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDHE\-RSA\-AES128\-GCM\-SHA256
+\& TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDHE\-RSA\-AES256\-GCM\-SHA384
+\&
+\& TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 ECDHE\-ECDSA\-AES128\-SHA256
+\& TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 ECDHE\-ECDSA\-AES256\-SHA384
+\& TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ECDHE\-ECDSA\-AES128\-GCM\-SHA256
+\& TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ECDHE\-ECDSA\-AES256\-GCM\-SHA384
+\&
+\& TLS_DH_anon_WITH_AES_128_CBC_SHA256 ADH\-AES128\-SHA256
+\& TLS_DH_anon_WITH_AES_256_CBC_SHA256 ADH\-AES256\-SHA256
+\& TLS_DH_anon_WITH_AES_128_GCM_SHA256 ADH\-AES128\-GCM\-SHA256
+\& TLS_DH_anon_WITH_AES_256_GCM_SHA384 ADH\-AES256\-GCM\-SHA384
+.Ve
+.SS "Pre shared keying (\s-1PSK\s0) cipheruites"
+.IX Subsection "Pre shared keying (PSK) cipheruites"
+.Vb 4
+\& TLS_PSK_WITH_RC4_128_SHA PSK\-RC4\-SHA
+\& TLS_PSK_WITH_3DES_EDE_CBC_SHA PSK\-3DES\-EDE\-CBC\-SHA
+\& TLS_PSK_WITH_AES_128_CBC_SHA PSK\-AES128\-CBC\-SHA
+\& TLS_PSK_WITH_AES_256_CBC_SHA PSK\-AES256\-CBC\-SHA
+.Ve
+.SS "Deprecated \s-1SSL\s0 v2.0 cipher suites."
+.IX Subsection "Deprecated SSL v2.0 cipher suites."
.Vb 7
\& SSL_CK_RC4_128_WITH_MD5 RC4\-MD5
\& SSL_CK_RC4_128_EXPORT40_WITH_MD5 EXP\-RC4\-MD5
@@ -531,6 +679,13 @@ strength:
\& openssl ciphers \-v \*(AqALL:!ADH:@STRENGTH\*(Aq
.Ve
.PP
+Include all ciphers except ones with no encryption (eNULL) or no
+authentication (aNULL):
+.PP
+.Vb 1
+\& openssl ciphers \-v \*(AqALL:!aNULL\*(Aq
+.Ve
+.PP
Include only 3DES ciphers and then place \s-1RSA\s0 ciphers last:
.PP
.Vb 1
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-31 06:31:28 +0000