Skip to content

Cipher Suites in OpenSSL⚓︎

Listing Supported Suites and Ciphers⚓︎

Bash
1
2
3
# default sane ciphers in 2023
# single quotes are required when negating a suite
openssl ciphers -v 'DEFAULT:!RC4:!SSLv3:!TLSv1:!3DES:!AES128-SHA:!AES128-SHA256:!ECDHE-RSA-AES128-CBC-SHA:!ECDHE-RSA-AES128-SHA256:!RSA:!DHE'

You can use ciphersuite.info, testssl.sh, or Mozilla’s Cipher Suite pages to convert names between IANA, GnuTLS, NSS, and OpenSSL. Links are in the References below.

Example⚓︎

Bash
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
$ openssl ciphers -v 'DEFAULT:!RC4:!SSLv3:!TLSv1:!3DES:!AES128-SHA:!AES128-SHA256:!ECDHE-RSA-AES128-CBC-SHA:!ECDHE-RSA-AES128-SHA256:!RSA:!DHE' | column -t
ECDHE-RSA-AES256-GCM-SHA384    TLSv1.2  Kx=ECDH        Au=RSA    Enc=AESGCM(256)  Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384  TLSv1.2  Kx=ECDH        Au=ECDSA  Enc=AESGCM(256)  Mac=AEAD
ECDHE-RSA-AES256-SHA384        TLSv1.2  Kx=ECDH        Au=RSA    Enc=AES(256)     Mac=SHA384
ECDHE-ECDSA-AES256-SHA384      TLSv1.2  Kx=ECDH        Au=ECDSA  Enc=AES(256)     Mac=SHA384
DH-DSS-AES256-GCM-SHA384       TLSv1.2  Kx=DH/DSS      Au=DH     Enc=AESGCM(256)  Mac=AEAD
DH-RSA-AES256-GCM-SHA384       TLSv1.2  Kx=DH/RSA      Au=DH     Enc=AESGCM(256)  Mac=AEAD
DH-RSA-AES256-SHA256           TLSv1.2  Kx=DH/RSA      Au=DH     Enc=AES(256)     Mac=SHA256
DH-DSS-AES256-SHA256           TLSv1.2  Kx=DH/DSS      Au=DH     Enc=AES(256)     Mac=SHA256
ECDH-RSA-AES256-GCM-SHA384     TLSv1.2  Kx=ECDH/RSA    Au=ECDH   Enc=AESGCM(256)  Mac=AEAD
ECDH-ECDSA-AES256-GCM-SHA384   TLSv1.2  Kx=ECDH/ECDSA  Au=ECDH   Enc=AESGCM(256)  Mac=AEAD
ECDH-RSA-AES256-SHA384         TLSv1.2  Kx=ECDH/RSA    Au=ECDH   Enc=AES(256)     Mac=SHA384
ECDH-ECDSA-AES256-SHA384       TLSv1.2  Kx=ECDH/ECDSA  Au=ECDH   Enc=AES(256)     Mac=SHA384
ECDHE-RSA-AES128-GCM-SHA256    TLSv1.2  Kx=ECDH        Au=RSA    Enc=AESGCM(128)  Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256  TLSv1.2  Kx=ECDH        Au=ECDSA  Enc=AESGCM(128)  Mac=AEAD
ECDHE-ECDSA-AES128-SHA256      TLSv1.2  Kx=ECDH        Au=ECDSA  Enc=AES(128)     Mac=SHA256
DH-DSS-AES128-GCM-SHA256       TLSv1.2  Kx=DH/DSS      Au=DH     Enc=AESGCM(128)  Mac=AEAD
DH-RSA-AES128-GCM-SHA256       TLSv1.2  Kx=DH/RSA      Au=DH     Enc=AESGCM(128)  Mac=AEAD
DH-RSA-AES128-SHA256           TLSv1.2  Kx=DH/RSA      Au=DH     Enc=AES(128)     Mac=SHA256
DH-DSS-AES128-SHA256           TLSv1.2  Kx=DH/DSS      Au=DH     Enc=AES(128)     Mac=SHA256
ECDH-RSA-AES128-GCM-SHA256     TLSv1.2  Kx=ECDH/RSA    Au=ECDH   Enc=AESGCM(128)  Mac=AEAD
ECDH-ECDSA-AES128-GCM-SHA256   TLSv1.2  Kx=ECDH/ECDSA  Au=ECDH   Enc=AESGCM(128)  Mac=AEAD
ECDH-RSA-AES128-SHA256         TLSv1.2  Kx=ECDH/RSA    Au=ECDH   Enc=AES(128)     Mac=SHA256
ECDH-ECDSA-AES128-SHA256       TLSv1.2  Kx=ECDH/ECDSA  Au=ECDH   Enc=AES(128)     Mac=SHA256

References⚓︎