Discussion:
CIPHER STRINGS
dE
2014-10-12 16:13:37 UTC
Permalink
Hi.

I was reading the openssl ciphers command, where I would like to suggest
something for the CIPHER STRINGS.

Currently all possible cipher strings are listed in the man page with
each of their names having a description which may or may not specify if
it's an authentication, encryption, Kx or MAC algorithm. This's
inconvenient.

I suggest there must be a way to to list them all with catagories of
authentication, encryption, Kx and MAC along with their common names.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-***@openssl.org
Automated List Manager ***@openssl.org
Fedor Indutny
2014-10-12 16:33:58 UTC
Permalink
Hello!

Have you seen: `openssl ciphers -v` output?

Cheers,
Fedor.
Post by dE
Hi.
I was reading the openssl ciphers command, where I would like to suggest
something for the CIPHER STRINGS.
Currently all possible cipher strings are listed in the man page with each
of their names having a description which may or may not specify if it's an
authentication, encryption, Kx or MAC algorithm. This's inconvenient.
I suggest there must be a way to to list them all with catagories of
authentication, encryption, Kx and MAC along with their common names.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Viktor Dukhovni
2014-10-12 16:45:15 UTC
Permalink
Post by Fedor Indutny
Have you seen: `openssl ciphers -v` output?
This does not list the cipher string building blocks that represent
classes of cipher suites rather than an individual cipher suite.

Perhaps the OP wants to be able to list these:

aNULL, eNULL, kRSA, AESGCM, ...

Also not clear whether the request is for a more detailed manpage
or a command-line tool.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-***@openssl.org
Automated List Manager ***@openssl.org
dE
2014-10-12 18:06:01 UTC
Permalink
Post by Viktor Dukhovni
Post by Fedor Indutny
Have you seen: `openssl ciphers -v` output?
This does not list the cipher string building blocks that represent
classes of cipher suites rather than an individual cipher suite.
aNULL, eNULL, kRSA, AESGCM, ...
Also not clear whether the request is for a more detailed manpage
or a command-line tool.
A command line tool. Like openssl list-ciphersuits

Will list things like --

Encryption --
AES256: AES with 256 passphrase
AES256: AES with 256 passphrase
Camellia: Camellia cipher
...
...

MAC --
MD5 -- MD5 digest algorithm
SHA1 -- SHA1. Warnings, notices etc...
...
...
...

Authentication --
RSA
DSA
...
...

Key exchange --
kRSA
DH
kPSK

Hope you get the idea.

This'll also avoid updating the man page with long descriptive text.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-***@openssl.org
Automated List Manager ***@openssl.org
Viktor Dukhovni
2014-10-12 19:43:32 UTC
Permalink
Post by dE
A command line tool. Like openssl list-ciphersuits
My own preference in this case is complete and accurate documentation.
Post by dE
This'll also avoid updating the man page with long descriptive text.
Even if a command-line tool is created, complete and accurate
documentation is not optional.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-***@openssl.org
Automated List Manager ***@openssl.org
dE
2014-10-13 03:38:28 UTC
Permalink
Post by Viktor Dukhovni
Post by dE
A command line tool. Like openssl list-ciphersuits
My own preference in this case is complete and accurate documentation.
Post by dE
This'll also avoid updating the man page with long descriptive text.
Even if a command-line tool is created, complete and accurate
documentation is not optional.
Problem with the documentation is that it's not complete. Many of these
don't specify what does the algo do (auth, digest etc...).

They're basically just writing the obvious with some notices about
openSSL specific implementation.

So if you dont know about the algo, you've to google it anyway.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-***@openssl.org
Automated List Manager ***@openssl.org
Viktor Dukhovni
2014-10-13 04:45:38 UTC
Permalink
Post by dE
Post by Viktor Dukhovni
Even if a command-line tool is created, complete and accurate
documentation is not optional.
Problem with the documentation is that it's not complete. Many of these
don't specify what does the algo do (auth, digest etc...).
That's the first problem to fix. Contributions welcome.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-***@openssl.org
Automated List Manager ***@openssl.org
Hubert Kario
2014-10-13 11:39:35 UTC
Permalink
----- Original Message -----
Sent: Monday, 13 October, 2014 5:38:28 AM
Subject: Re: CIPHER STRINGS
Post by Viktor Dukhovni
Post by dE
A command line tool. Like openssl list-ciphersuits
My own preference in this case is complete and accurate documentation.
Post by dE
This'll also avoid updating the man page with long descriptive text.
Even if a command-line tool is created, complete and accurate
documentation is not optional.
Problem with the documentation is that it's not complete. Many of these
don't specify what does the algo do (auth, digest etc...).
They're basically just writing the obvious with some notices about
openSSL specific implementation.
So if you dont know about the algo, you've to google it anyway.
backporting documentation fixes is much easier that code fixes (some
distributions even have mechanisms to update just the man pages
without need of issuing a new binary package)

speaking of which, I did recently update ciphers man page on 1.0.1
branch with the intended goal to make it aligned with code
actually shipping and more explicit with what different options do.
If you think that it still has some unclear parts I'll gladly hear
about them.

See here for the current version:
https://github.com/openssl/openssl/blob/OpenSSL_1_0_1-stable/doc/apps/ciphers.pod

If the man page in your distro doesn't include those changes, open
a bug report against the distro, we can't help much with this though.
--
Regards,
Hubert Kario
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-***@openssl.org
Automated List Manager ***@openssl.org
dE
2014-10-14 04:39:11 UTC
Permalink
Post by Hubert Kario
----- Original Message -----
Sent: Monday, 13 October, 2014 5:38:28 AM
Subject: Re: CIPHER STRINGS
Post by Viktor Dukhovni
Post by dE
A command line tool. Like openssl list-ciphersuits
My own preference in this case is complete and accurate documentation.
Post by dE
This'll also avoid updating the man page with long descriptive text.
Even if a command-line tool is created, complete and accurate
documentation is not optional.
Problem with the documentation is that it's not complete. Many of these
don't specify what does the algo do (auth, digest etc...).
They're basically just writing the obvious with some notices about
openSSL specific implementation.
So if you dont know about the algo, you've to google it anyway.
backporting documentation fixes is much easier that code fixes (some
distributions even have mechanisms to update just the man pages
without need of issuing a new binary package)
speaking of which, I did recently update ciphers man page on 1.0.1
branch with the intended goal to make it aligned with code
actually shipping and more explicit with what different options do.
If you think that it still has some unclear parts I'll gladly hear
about them.
https://github.com/openssl/openssl/blob/OpenSSL_1_0_1-stable/doc/apps/ciphers.pod
If the man page in your distro doesn't include those changes, open
a bug report against the distro, we can't help much with this though.
Thanks for the contribution.

For suggest the kind of algorithm the cipher string targets to be placed
somewhere.

e.g. kRSA, RSA, ADH, AECDH should have --

Category:Kx

Many of these dont specify that these are Kx algorithms.

Similarly, AES128, AES256, AES should have

Category:Enc
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-***@openssl.org
Automated List Manager ***@openssl.org
dE
2014-10-14 04:40:08 UTC
Permalink
Post by dE
Post by Hubert Kario
----- Original Message -----
Sent: Monday, 13 October, 2014 5:38:28 AM
Subject: Re: CIPHER STRINGS
Post by Viktor Dukhovni
Post by dE
A command line tool. Like openssl list-ciphersuits
My own preference in this case is complete and accurate documentation.
Post by dE
This'll also avoid updating the man page with long descriptive text.
Even if a command-line tool is created, complete and accurate
documentation is not optional.
Problem with the documentation is that it's not complete. Many of these
don't specify what does the algo do (auth, digest etc...).
They're basically just writing the obvious with some notices about
openSSL specific implementation.
So if you dont know about the algo, you've to google it anyway.
backporting documentation fixes is much easier that code fixes (some
distributions even have mechanisms to update just the man pages
without need of issuing a new binary package)
speaking of which, I did recently update ciphers man page on 1.0.1
branch with the intended goal to make it aligned with code
actually shipping and more explicit with what different options do.
If you think that it still has some unclear parts I'll gladly hear
about them.
https://github.com/openssl/openssl/blob/OpenSSL_1_0_1-stable/doc/apps/ciphers.pod
If the man page in your distro doesn't include those changes, open
a bug report against the distro, we can't help much with this though.
Thanks for the contribution.
For suggest the kind of algorithm the cipher string targets to be
placed somewhere.
e.g. kRSA, RSA, ADH, AECDH should have --
Category:Kx
Many of these dont specify that these are Kx algorithms.
Similarly, AES128, AES256, AES should have
Category:Enc
This makes searching easy.

Actually if this's made into a table it'll be better. That way users can
filter.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-***@openssl.org
Automated List Manager ***@openssl.org
Hubert Kario
2014-10-14 11:17:03 UTC
Permalink
----- Original Message -----
Sent: Tuesday, 14 October, 2014 6:39:11 AM
Subject: Re: CIPHER STRINGS
Post by Hubert Kario
----- Original Message -----
Sent: Monday, 13 October, 2014 5:38:28 AM
Subject: Re: CIPHER STRINGS
Post by Viktor Dukhovni
Post by dE
A command line tool. Like openssl list-ciphersuits
My own preference in this case is complete and accurate documentation.
Post by dE
This'll also avoid updating the man page with long descriptive text.
Even if a command-line tool is created, complete and accurate
documentation is not optional.
Problem with the documentation is that it's not complete. Many of these
don't specify what does the algo do (auth, digest etc...).
They're basically just writing the obvious with some notices about
openSSL specific implementation.
So if you dont know about the algo, you've to google it anyway.
backporting documentation fixes is much easier that code fixes (some
distributions even have mechanisms to update just the man pages
without need of issuing a new binary package)
speaking of which, I did recently update ciphers man page on 1.0.1
branch with the intended goal to make it aligned with code
actually shipping and more explicit with what different options do.
If you think that it still has some unclear parts I'll gladly hear
about them.
https://github.com/openssl/openssl/blob/OpenSSL_1_0_1-stable/doc/apps/ciphers.pod
If the man page in your distro doesn't include those changes, open
a bug report against the distro, we can't help much with this though.
Thanks for the contribution.
For suggest the kind of algorithm the cipher string targets to be placed
somewhere.
e.g. kRSA, RSA, ADH, AECDH should have --
Category:Kx
Many of these dont specify that these are Kx algorithms.
Similarly, AES128, AES256, AES should have
Category:Enc
It is sorted more or less this way, first key exchanges, then authentication
algorithms, encryption algorithms and finally HMACs/PRFs.

The exception being FORTEZZA, which is unsupported and you shouldn't use it
and GOST algorithms which have very specific and limited use.

Problem is that some of those aliases don't have one specific meaning.
For example 'ECDH' will match the "regular" ECDHE key exchange, but it
will also match aECDH ciphers, similarly with 'DH'. So you can't assign them
to single category.
--
Regards,
Hubert Kario
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-***@openssl.org
Automated List Manager ***@openssl.org
dE
2014-10-14 15:28:26 UTC
Permalink
Post by Hubert Kario
----- Original Message -----
Sent: Tuesday, 14 October, 2014 6:39:11 AM
Subject: Re: CIPHER STRINGS
Post by Hubert Kario
----- Original Message -----
Sent: Monday, 13 October, 2014 5:38:28 AM
Subject: Re: CIPHER STRINGS
Post by Viktor Dukhovni
Post by dE
A command line tool. Like openssl list-ciphersuits
My own preference in this case is complete and accurate documentation.
Post by dE
This'll also avoid updating the man page with long descriptive text.
Even if a command-line tool is created, complete and accurate
documentation is not optional.
Problem with the documentation is that it's not complete. Many of these
don't specify what does the algo do (auth, digest etc...).
They're basically just writing the obvious with some notices about
openSSL specific implementation.
So if you dont know about the algo, you've to google it anyway.
backporting documentation fixes is much easier that code fixes (some
distributions even have mechanisms to update just the man pages
without need of issuing a new binary package)
speaking of which, I did recently update ciphers man page on 1.0.1
branch with the intended goal to make it aligned with code
actually shipping and more explicit with what different options do.
If you think that it still has some unclear parts I'll gladly hear
about them.
https://github.com/openssl/openssl/blob/OpenSSL_1_0_1-stable/doc/apps/ciphers.pod
If the man page in your distro doesn't include those changes, open
a bug report against the distro, we can't help much with this though.
Thanks for the contribution.
For suggest the kind of algorithm the cipher string targets to be placed
somewhere.
e.g. kRSA, RSA, ADH, AECDH should have --
Category:Kx
Many of these dont specify that these are Kx algorithms.
Similarly, AES128, AES256, AES should have
Category:Enc
It is sorted more or less this way, first key exchanges, then authentication
algorithms, encryption algorithms and finally HMACs/PRFs.
The exception being FORTEZZA, which is unsupported and you shouldn't use it
and GOST algorithms which have very specific and limited use.
Problem is that some of those aliases don't have one specific meaning.
For example 'ECDH' will match the "regular" ECDHE key exchange, but it
will also match aECDH ciphers, similarly with 'DH'. So you can't assign them
to single category.
You can make an 'others' category that way, or make duplicate entries.

I would suggest a table so you can map duplicate entries too. Hope the
man page allows tables.

You know these strings are used in programs like Apache so they must be
clear.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-***@openssl.org
Automated List Manager ***@openssl.org
Loading...