summaryrefslogtreecommitdiff
path: root/doc/TLSVERSION_CIPHERSUITES
diff options
context:
space:
mode:
Diffstat (limited to 'doc/TLSVERSION_CIPHERSUITES')
-rw-r--r--doc/TLSVERSION_CIPHERSUITES62
1 files changed, 62 insertions, 0 deletions
diff --git a/doc/TLSVERSION_CIPHERSUITES b/doc/TLSVERSION_CIPHERSUITES
new file mode 100644
index 0000000..645e44a
--- /dev/null
+++ b/doc/TLSVERSION_CIPHERSUITES
@@ -0,0 +1,62 @@
+TLS Version & Cipher Suites
+---------------------------
+
+ucspi-ssl provides two hooks to adjust the TLS version and the Cipher Suite:
+
+1. Client and Server (sslclient, sslhandle, sslserver):
+
+The TLS/SSL protocol versions
+
+- SSLv2 and
+- SSLv3
+
+are disabled in ucspissl.h.
+
+- TLSv1 is already included here, but is still commented out.
+
+
+2. The Cipher Suite accepted by the Server (sslhandle, sslserver)
+
+a) Pre-TLS 1.3
+
+Here, you can adjust the settings by means of CIPHER environment variables.
+Some typical choices:
+
+#CIPHERS="'TLSv1+HIGH:!SSLv2:!aNULL:!eNULL:!3DES:@STRENGTH'"
+#CIPHERS="TLSv1+HIGH:!SSLv2:!MD5"
+CIPHERS="TLSv1.2+HIGH:TLSv1.1+HIGH:!TLSv1+HIGH:!aNULL:!eNULL:@STRENGTH"
+
+This variable can be statically defined for all connections or used
+as environment variable specified with the tcprule database.
+
+OpenSSL supports even very old and inscure crypto primites like MD5 or DES;
+however under current circumstances they are not negotiated.
+
+b) TLS 1.3
+
+While previous TLS understand some phrasings like 'DEFAULT', 'HIGH' in TLS 1.3
+a new API and a new scheme is used
+(https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_cipher_list.html):
+
+>> An empty list is permissible. The default value for the this setting is:
+
+ "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" <<
+
+This means 'TLS_AES_256_GCM_SHA384' has priority. However, you can tweak this to:
+
+ "TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
+
+thus, the first choice is CHACHA20. In case AES_256 is present, it has
+precedence over CHACHA20.
+
+Remember: In any case, only ECDHE is used as handshake protocol.
+
+
+3. Online Resources
+
+OpenSSL: https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_cipher_list.html
+
+LibreSSL: https://fossies.org/linux/libressl/man/SSL_CTX_set_cipher_list.3
+
+
+--eh, Oktober 2023.
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-04 23:09:36 +0000