Durable/Note
PKI/Ciphers
Application/OpenSSL
Cipher Suites in OpenSSL
Listing Supported Suites and Ciphers
Bash # default sane ciphers in 2023
# single quotes are required when negating a suite
openssl ciphers -v 'DEFAULT:!RC4:!SSLv3:!TLSv1:!3DES:!AES128-SHA:!AES128-SHA256:!ECDHE-RSA-AES128-CBC-SHA:!ECDHE-RSA-AES128-SHA256:!RSA:!DHE'
You can use ciphersuite.info, testssl.sh, or Mozilla’s Cipher Suite pages to convert names between IANA, GnuTLS, NSS, and OpenSSL. Links are in the References below.
Example
Bash 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24 $ openssl ciphers -v 'DEFAULT:!RC4:!SSLv3:!TLSv1:!3DES:!AES128-SHA:!AES128-SHA256:!ECDHE-RSA-AES128-CBC-SHA:!ECDHE-RSA-AES128-SHA256:!RSA:!DHE' | column -t
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx = ECDH Au = RSA Enc = AESGCM( 256 ) Mac = AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx = ECDH Au = ECDSA Enc = AESGCM( 256 ) Mac = AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx = ECDH Au = RSA Enc = AES( 256 ) Mac = SHA384
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx = ECDH Au = ECDSA Enc = AES( 256 ) Mac = SHA384
DH-DSS-AES256-GCM-SHA384 TLSv1.2 Kx = DH/DSS Au = DH Enc = AESGCM( 256 ) Mac = AEAD
DH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx = DH/RSA Au = DH Enc = AESGCM( 256 ) Mac = AEAD
DH-RSA-AES256-SHA256 TLSv1.2 Kx = DH/RSA Au = DH Enc = AES( 256 ) Mac = SHA256
DH-DSS-AES256-SHA256 TLSv1.2 Kx = DH/DSS Au = DH Enc = AES( 256 ) Mac = SHA256
ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx = ECDH/RSA Au = ECDH Enc = AESGCM( 256 ) Mac = AEAD
ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx = ECDH/ECDSA Au = ECDH Enc = AESGCM( 256 ) Mac = AEAD
ECDH-RSA-AES256-SHA384 TLSv1.2 Kx = ECDH/RSA Au = ECDH Enc = AES( 256 ) Mac = SHA384
ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx = ECDH/ECDSA Au = ECDH Enc = AES( 256 ) Mac = SHA384
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx = ECDH Au = RSA Enc = AESGCM( 128 ) Mac = AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx = ECDH Au = ECDSA Enc = AESGCM( 128 ) Mac = AEAD
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx = ECDH Au = ECDSA Enc = AES( 128 ) Mac = SHA256
DH-DSS-AES128-GCM-SHA256 TLSv1.2 Kx = DH/DSS Au = DH Enc = AESGCM( 128 ) Mac = AEAD
DH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx = DH/RSA Au = DH Enc = AESGCM( 128 ) Mac = AEAD
DH-RSA-AES128-SHA256 TLSv1.2 Kx = DH/RSA Au = DH Enc = AES( 128 ) Mac = SHA256
DH-DSS-AES128-SHA256 TLSv1.2 Kx = DH/DSS Au = DH Enc = AES( 128 ) Mac = SHA256
ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx = ECDH/RSA Au = ECDH Enc = AESGCM( 128 ) Mac = AEAD
ECDH-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx = ECDH/ECDSA Au = ECDH Enc = AESGCM( 128 ) Mac = AEAD
ECDH-RSA-AES128-SHA256 TLSv1.2 Kx = ECDH/RSA Au = ECDH Enc = AES( 128 ) Mac = SHA256
ECDH-ECDSA-AES128-SHA256 TLSv1.2 Kx = ECDH/ECDSA Au = ECDH Enc = AES( 128 ) Mac = SHA256
References