pikesaku’s blog





man ciphersで確認 ※以下は抜粋

       The following is a list of all permitted cipher strings and their meanings.

           the default cipher list. This is determined at compile time and, as of OpenSSL 1.0.0, is normally ALL:!aNULL:!eNULL. This must be the first
           cipher string specified.

           the ciphers included in ALL, but not enabled by default. Currently this is ADH and AECDH. Note that this rule does not cover eNULL, which is
           not included by ALL (use COMPLEMENTOFALL if necessary).

       ALL all cipher suites except the eNULL ciphers which must be explicitly enabled; as of OpenSSL, the ALL cipher suites are reasonably ordered by

           the cipher suites not enabled by ALL, currently being eNULL.

           "high" encryption cipher suites. This currently means those with key lengths larger than 128 bits, and some cipher suites with 128-bit keys.

           "medium" encryption cipher suites, currently some of those using 128 bit encryption.

       LOW "low" encryption cipher suites, currently those using 64 or 56 bit encryption algorithms but excluding export cipher suites.

       EXP, EXPORT
           export encryption algorithms. Including 40 and 56 bits algorithms.

           40 bit export encryption algorithms

           56 bit export encryption algorithms. In OpenSSL 0.9.8c and later the set of 56 bit export ciphers is empty unless OpenSSL has been
           explicitly configured with support for experimental ciphers.

       eNULL, NULL
           the "NULL" ciphers that is those offering no encryption. Because these offer no encryption at all and are a security risk they are disabled
           unless explicitly included.

           the cipher suites offering no authentication. This is currently the anonymous DH algorithms and anonymous ECDH algorithms. These cipher
           suites are vulnerable to a "man in the middle" attack and so their use is normally discouraged.


# openssl ciphers -v 'aNULL'
AECDH-AES256-SHA        SSLv3 Kx=ECDH     Au=None Enc=AES(256)  Mac=SHA1
ADH-AES256-GCM-SHA384   TLSv1.2 Kx=DH       Au=None Enc=AESGCM(256) Mac=AEAD
ADH-AES256-SHA256       TLSv1.2 Kx=DH       Au=None Enc=AES(256)  Mac=SHA256
ADH-AES256-SHA          SSLv3 Kx=DH       Au=None Enc=AES(256)  Mac=SHA1
ADH-CAMELLIA256-SHA     SSLv3 Kx=DH       Au=None Enc=Camellia(256) Mac=SHA1
AECDH-AES128-SHA        SSLv3 Kx=ECDH     Au=None Enc=AES(128)  Mac=SHA1
ADH-AES128-GCM-SHA256   TLSv1.2 Kx=DH       Au=None Enc=AESGCM(128) Mac=AEAD
ADH-AES128-SHA256       TLSv1.2 Kx=DH       Au=None Enc=AES(128)  Mac=SHA256
ADH-AES128-SHA          SSLv3 Kx=DH       Au=None Enc=AES(128)  Mac=SHA1
AECDH-DES-CBC3-SHA      SSLv3 Kx=ECDH     Au=None Enc=3DES(168) Mac=SHA1
ADH-SEED-SHA            SSLv3 Kx=DH       Au=None Enc=SEED(128) Mac=SHA1
ADH-CAMELLIA128-SHA     SSLv3 Kx=DH       Au=None Enc=Camellia(128) Mac=SHA1
ADH-DES-CBC3-SHA        SSLv3 Kx=DH       Au=None Enc=3DES(168) Mac=SHA1
AECDH-RC4-SHA           SSLv3 Kx=ECDH     Au=None Enc=RC4(128)  Mac=SHA1
ADH-RC4-MD5             SSLv3 Kx=DH       Au=None Enc=RC4(128)  Mac=MD5
ADH-DES-CBC-SHA         SSLv3 Kx=DH       Au=None Enc=DES(56)   Mac=SHA1
EXP-ADH-DES-CBC-SHA     SSLv3 Kx=DH(512)  Au=None Enc=DES(40)   Mac=SHA1 export
EXP-ADH-RC4-MD5         SSLv3 Kx=DH(512)  Au=None Enc=RC4(40)   Mac=MD5  export
AECDH-NULL-SHA          SSLv3 Kx=ECDH     Au=None Enc=None      Mac=SHA1



openssl ciphers -v 'ALL'| while read line
  C=$(echo $line | awk '{print $1}')
  V=$(echo $line | awk '{print $2}')
  echo "" | openssl s_client -connect -tls1   -cipher $C 2>&1 | egrep "Secure Renegotiation|Protocol *:|Cipher *:" | tr "\n" "# "
  echo ""
  echo "" | openssl s_client -connect -tls1_1 -cipher $C 2>&1 | egrep "Secure Renegotiation|Protocol *:|Cipher *:" | tr "\n" "# "
  echo ""
  echo "" | openssl s_client -connect -tls1_2 -cipher $C 2>&1 | egrep "Secure Renegotiation|Protocol *:|Cipher *:" | tr "\n" "# "
  echo ""