Manual Pages for UNIX Darwin command on man ciphers
MyWebUniversity

Manual Pages for UNIX Darwin command on man ciphers

CIPHERS(1) OpenSSL CIPHERS(1)





NAME
       ciphers - SSL cipher display and cipher list tool.



SYNOPSIS
       ooppeennssssll cciipphheerrss [-vv] [-ssssll22] [-ssssll33] [-ttllss11] [cciipphheerrlliisstt]



DESCRIPTION
       The cciipphheerrlliisstt command converts OpenSSL cipher lists into ordered SSL
       cipher preference lists. It can be used as a test tool to determine the
       appropriate cipherlist.

CCOOMMMMAANNDD OOPPTTIIOONNSS

       -vv  verbose option. List ciphers with a complete description of

           protocol version (SSLv2 or SSLv3; the latter includes TLS), key
           exchange, authentication, encryption and mac algorithms used along
           with any key size restrictions and whether the algorithm is classed

           as an "export" cipher.  Note that without the -vv option, ciphers

           may seem to appear twice in a cipher list; this is when similar

           ciphers are available for SSL v2 and for SSL v3/TLS v1.



       -ssssll33

           only include SSL v3 ciphers.



       -ssssll22

           only include SSL v2 ciphers.



       -ttllss11

           only include TLS v1 ciphers.



       -hh, -??

           print a brief usage message.

       cciipphheerrlliisstt
           a cipher list to convert to a cipher preference list. If it is not
           included then the default cipher list will be used. The format is
           described below.

CCIIPPHHEERR LLIISSTT FFOORRMMAATT
       The cipher list consists of one or more cipher strings separated by
       colons.  Commas or spaces are also acceptable separators but colons are
       normally used.

       The actual cipher string can take several different forms.


       It can consist of a single cipher suite such as RRCC44-SSHHAA.


       It can represent a list of cipher suites containing a certain
       algorithm, or cipher suites of a certain type. For example SSHHAA11

       represents all ciphers suites using the digest algorithm SHA1 and SSSSLLvv33

       represents all SSL v3 algorithms.

       Lists of cipher suites can be combined in a single cipher string using
       the ++ character. This is used as a logical aanndd operation. For example
       SSHHAA11++DDEESS represents all cipher suites containing the SHA1 aanndd the DES
       algorithms.


       Each cipher string can be optionally preceded by the characters !!, - or

       ++.


       If !! is used then the ciphers are permanently deleted from the list.

       The ciphers deleted can never reappear in the list even if they are

       explicitly stated.


       If - is used then the ciphers are deleted from the list, but some or

       all of the ciphers can be added again by later options.



       If ++ is used then the ciphers are moved to the end of the list. This

       option doesn't add any new ciphers it just moves matching existing

       ones.

       If none of these characters is present then the string is just

       interpreted as a list of ciphers to be appended to the current

       preference list. If the list includes any ciphers already present they

       will be ignored: that is they will not moved to the end of the list.

       Additionally the cipher string @@SSTTRREENNGGTTHH can be used at any point to
       sort the current cipher list in order of encryption algorithm key
       length.

CCIIPPHHEERR SSTTRRIINNGGSS
       The following is a list of all permitted cipher strings and their
       meanings.

       DDEEFFAAUULLTT
           the default cipher list. This is determined at compile time and is
           normally AALLLL::!!AADDHH::RRCC44++RRSSAA::++SSSSLLvv22::@@SSTTRREENNGGTTHH. This must be the first
           cipher string specified.

       CCOOMMPPLLEEMMEENNTTOOFFDDEEFFAAUULLTT

           the ciphers included in AALLLL, but not enabled by default. Currently

           this is AADDHH. Note that this rule does not cover eeNNUULLLL, which is not
           included by AALLLL (use CCOOMMPPLLEEMMEENNTTOOFFAALLLL if necessary).


       AALLLL all ciphers suites except the eeNNUULLLL ciphers which must be

           explicitly enabled.

       CCOOMMPPLLEEMMEENNTTOOFFAALLLL
           the cipher suites not enabled by AALLLL, currently being eeNNUULLLL.

       HHIIGGHH
           "high" encryption cipher suites. This currently means those with
           key lengths larger than 128 bits, and some cipher suites with

           128-bit keys.


       MMEEDDIIUUMM
           "medium" encryption cipher suites, currently some of those using
           128 bit encryption.

       LLOOWW "low" encryption cipher suites, currently those using 64 or 56 bit
           encryption algorithms but excluding export cipher suites.

       EEXXPP, EEXXPPOORRTT
           export encryption algorithms. Including 40 and 56 bits algorithms.

       EEXXPPOORRTT4400
           40 bit export encryption algorithms

       EEXXPPOORRTT5566
           56 bit export encryption algorithms.

       eeNNUULLLL, NNUULLLL

           the "NULL" ciphers that is those offering no encryption. Because

           these offer no encryption at all and are a security risk they are
           disabled unless explicitly included.

       aaNNUULLLL
           the cipher suites offering no authentication. This is currently the
           anonymous DH algorithms. These cipher suites are vulnerable to a
           "man in the middle" attack and so their use is normally
           discouraged.

       kkRRSSAA, RRSSAA
           cipher suites using RSA key exchange.

       kkEEDDHH
           cipher suites using ephemeral DH key agreement.

       kkDDHHrr, kkDDHHdd
           cipher suites using DH key agreement and DH certificates signed by
           CAs with RSA and DSS keys respectively. Not implemented.

       aaRRSSAA
           cipher suites using RSA authentication, i.e. the certificates carry
           RSA keys.

       aaDDSSSS, DDSSSS
           cipher suites using DSS authentication, i.e. the certificates carry
           DSS keys.

       aaDDHH cipher suites effectively using DH authentication, i.e. the
           certificates carry DH keys.  Not implemented.

       kkFFZZAA, aaFFZZAA, eeFFZZAA, FFZZAA

           ciphers suites using FORTEZZA key exchange, authentication,

           encryption or all FORTEZZA algorithms. Not implemented.

       TTLLSSvv11, SSSSLLvv33, SSSSLLvv22
           TLS v1.0, SSL v3.0 or SSL v2.0 cipher suites respectively.

       DDHH  cipher suites using DH, including anonymous DH.

       AADDHH anonymous DH cipher suites.

       AAEESS cipher suites using AES.

       33DDEESS
           cipher suites using triple DES.

       DDEESS cipher suites using DES (not triple DES).

       RRCC44 cipher suites using RC4.

       RRCC22 cipher suites using RC2.

       IIDDEEAA
           cipher suites using IDEA.

       MMDD55 cipher suites using MD5.

       SSHHAA11, SSHHAA
           cipher suites using SHA1.


CIPHER SUITE NAMES
       The following lists give the SSL or TLS cipher suites names from the
       relevant specification and their OpenSSL equivalents. It should be
       noted, that several cipher suite names do not include the

       authentication used, e.g. DES-CBC3-SHA. In these cases, RSA

       authentication is used.

       SSSSLL vv33..00 cciipphheerr ssuuiitteess..


        SSLRSAWITHNULLMD5                   NULL-MD5

        SSLRSAWITHNULLSHA                   NULL-SHA

        SSLRSAEXPORTWITHRC440MD5          EXP-RC4-MD5

        SSLRSAWITHRC4128MD5                RC4-MD5

        SSLRSAWITHRC4128SHA                RC4-SHA

        SSLRSAEXPORTWITHRC2CBC40MD5      EXP-RC2-CBC-MD5

        SSLRSAWITHIDEACBCSHA               IDEA-CBC-SHA

        SSLRSAEXPORTWITHDES40CBCSHA       EXP-DES-CBC-SHA

        SSLRSAWITHDESCBCSHA                DES-CBC-SHA

        SSLRSAWITH3DESEDECBCSHA           DES-CBC3-SHA


        SSLDHDSSEXPORTWITHDES40CBCSHA    Not implemented.
        SSLDHDSSWITHDESCBCSHA             Not implemented.
        SSLDHDSSWITH3DESEDECBCSHA        Not implemented.
        SSLDHRSAEXPORTWITHDES40CBCSHA    Not implemented.
        SSLDHRSAWITHDESCBCSHA             Not implemented.
        SSLDHRSAWITH3DESEDECBCSHA        Not implemented.

        SSLDHEDSSEXPORTWITHDES40CBCSHA   EXP-EDH-DSS-DES-CBC-SHA

        SSLDHEDSSWITHDESCBCSHA            EDH-DSS-CBC-SHA

        SSLDHEDSSWITH3DESEDECBCSHA       EDH-DSS-DES-CBC3-SHA

        SSLDHERSAEXPORTWITHDES40CBCSHA   EXP-EDH-RSA-DES-CBC-SHA

        SSLDHERSAWITHDESCBCSHA            EDH-RSA-DES-CBC-SHA

        SSLDHERSAWITH3DESEDECBCSHA       EDH-RSA-DES-CBC3-SHA



        SSLDHanonEXPORTWITHRC440MD5      EXP-ADH-RC4-MD5

        SSLDHanonWITHRC4128MD5            ADH-RC4-MD5

        SSLDHanonEXPORTWITHDES40CBCSHA   EXP-ADH-DES-CBC-SHA

        SSLDHanonWITHDESCBCSHA            ADH-DES-CBC-SHA

        SSLDHanonWITH3DESEDECBCSHA       ADH-DES-CBC3-SHA


        SSLFORTEZZAKEAWITHNULLSHA          Not implemented.
        SSLFORTEZZAKEAWITHFORTEZZACBCSHA  Not implemented.
        SSLFORTEZZAKEAWITHRC4128SHA       Not implemented.

       TTLLSS vv11..00 cciipphheerr ssuuiitteess..


        TLSRSAWITHNULLMD5                   NULL-MD5

        TLSRSAWITHNULLSHA                   NULL-SHA

        TLSRSAEXPORTWITHRC440MD5          EXP-RC4-MD5

        TLSRSAWITHRC4128MD5                RC4-MD5

        TLSRSAWITHRC4128SHA                RC4-SHA

        TLSRSAEXPORTWITHRC2CBC40MD5      EXP-RC2-CBC-MD5

        TLSRSAWITHIDEACBCSHA               IDEA-CBC-SHA

        TLSRSAEXPORTWITHDES40CBCSHA       EXP-DES-CBC-SHA

        TLSRSAWITHDESCBCSHA                DES-CBC-SHA

        TLSRSAWITH3DESEDECBCSHA           DES-CBC3-SHA


        TLSDHDSSEXPORTWITHDES40CBCSHA    Not implemented.
        TLSDHDSSWITHDESCBCSHA             Not implemented.
        TLSDHDSSWITH3DESEDECBCSHA        Not implemented.
        TLSDHRSAEXPORTWITHDES40CBCSHA    Not implemented.
        TLSDHRSAWITHDESCBCSHA             Not implemented.
        TLSDHRSAWITH3DESEDECBCSHA        Not implemented.

        TLSDHEDSSEXPORTWITHDES40CBCSHA   EXP-EDH-DSS-DES-CBC-SHA

        TLSDHEDSSWITHDESCBCSHA            EDH-DSS-CBC-SHA

        TLSDHEDSSWITH3DESEDECBCSHA       EDH-DSS-DES-CBC3-SHA

        TLSDHERSAEXPORTWITHDES40CBCSHA   EXP-EDH-RSA-DES-CBC-SHA

        TLSDHERSAWITHDESCBCSHA            EDH-RSA-DES-CBC-SHA

        TLSDHERSAWITH3DESEDECBCSHA       EDH-RSA-DES-CBC3-SHA



        TLSDHanonEXPORTWITHRC440MD5      EXP-ADH-RC4-MD5

        TLSDHanonWITHRC4128MD5            ADH-RC4-MD5

        TLSDHanonEXPORTWITHDES40CBCSHA   EXP-ADH-DES-CBC-SHA

        TLSDHanonWITHDESCBCSHA            ADH-DES-CBC-SHA

        TLSDHanonWITH3DESEDECBCSHA       ADH-DES-CBC3-SHA


       AAEESS cciipphheerrssuuiitteess ffrroomm RRFFCC33226688,, eexxtteennddiinngg TTLLSS vv11..00


        TLSRSAWITHAES128CBCSHA            AES128-SHA

        TLSRSAWITHAES256CBCSHA            AES256-SHA



        TLSDHDSSWITHAES128CBCSHA         DH-DSS-AES128-SHA

        TLSDHDSSWITHAES256CBCSHA         DH-DSS-AES256-SHA

        TLSDHRSAWITHAES128CBCSHA         DH-RSA-AES128-SHA

        TLSDHRSAWITHAES256CBCSHA         DH-RSA-AES256-SHA



        TLSDHEDSSWITHAES128CBCSHA        DHE-DSS-AES128-SHA

        TLSDHEDSSWITHAES256CBCSHA        DHE-DSS-AES256-SHA

        TLSDHERSAWITHAES128CBCSHA        DHE-RSA-AES128-SHA

        TLSDHERSAWITHAES256CBCSHA        DHE-RSA-AES256-SHA



        TLSDHanonWITHAES128CBCSHA        ADH-AES128-SHA

        TLSDHanonWITHAES256CBCSHA        ADH-AES256-SHA


       AAddddiittiioonnaall EExxppoorrtt 11002244 aanndd ootthheerr cciipphheerr ssuuiitteess


       Note: these ciphers can also be used in SSL v3.



        TLSRSAEXPORT1024WITHDESCBCSHA     EXP1024-DES-CBC-SHA

        TLSRSAEXPORT1024WITHRC456SHA      EXP1024-RC4-SHA

        TLSDHEDSSEXPORT1024WITHDESCBCSHA EXP1024-DHE-DSS-DES-CBC-SHA

        TLSDHEDSSEXPORT1024WITHRC456SHA  EXP1024-DHE-DSS-RC4-SHA

        TLSDHEDSSWITHRC4128SHA            DHE-DSS-RC4-SHA


       SSSSLL vv22..00 cciipphheerr ssuuiitteess..


        SSLCKRC4128WITHMD5                 RC4-MD5

        SSLCKRC4128EXPORT40WITHMD5        EXP-RC4-MD5

        SSLCKRC2128CBCWITHMD5             RC2-MD5

        SSLCKRC2128CBCEXPORT40WITHMD5    EXP-RC2-MD5

        SSLCKIDEA128CBCWITHMD5            IDEA-CBC-MD5

        SSLCKDES64CBCWITHMD5              DES-CBC-MD5

        SSLCKDES192EDE3CBCWITHMD5        DES-CBC3-MD5


NNOOTTEESS

       The non-ephemeral DH modes are currently unimplemented in OpenSSL

       because there is no support for DH certificates.


       Some compiled versions of OpenSSL may not include all the ciphers

       listed here because some ciphers were excluded at compile time.


EEXXAAMMPPLLEESS

       Verbose listing of all OpenSSL ciphers including NULL ciphers:



        openssl ciphers -v 'ALL:eNULL'



       Include all ciphers except NULL and anonymous DH then sort by strength:



        openssl ciphers -v 'ALL:!ADH:@STRENGTH'



       Include only 3DES ciphers and then place RSA ciphers last:



        openssl ciphers -v '3DES:+RSA'



       Include all RC4 ciphers but leave out those without authentication:



        openssl ciphers -v 'RC4:!COMPLEMENTOFDEFAULT'



       Include all chiphers with RSA authentication but leave out ciphers

       without encryption.


        openssl ciphers -v 'RSA:!COMPLEMENTOFALL'



SEE ALSO
       sclient(1), sserver(1), ssl(3)

HISTORY       The CCOOMMPPLLEENNTTOOFFAALLLL and CCOOMMPPLLEEMMEENNTTOOFFDDEEFFAAUULLTT selection options were added
       in version 0.9.7.




0.9.7l                            2006-06-30                        CIPHERS(1)



Contact us      |      About us      |      Term of use      |       Copyright © 2000-2019 MyWebUniversity.com ™