LinuxCommandLibrary

ciphers.1s

Display OpenSSL's list of cipher suites

SYNOPSIS

openssl ciphers [options] [cipherlist]

PARAMETERS

-v
    Displays verbose information about each cipher, including protocol, key exchange, encryption, and message digest.

-V
    Shows very verbose information, including OpenSSL-specific internal IDs for each cipher.

-tls1_3
    Filters the output to only show cipher suites compatible with TLS 1.3.

-s
    Lists cipher suites in a format suitable for scripting or parsing, often used for configuration files.

-allow_broken
    Includes cipher suites known to be broken or insecure in the output. Use with extreme caution.

-std
    Displays cipher suite names using their standard IANA/RFC names, rather than OpenSSL's internal names.

-list
    Explicitly requests a list of ciphers (this is the default behavior).

cipherlist
    A colon-separated string specifying criteria to filter and order the listed ciphers (e.g., HIGH:!ADH:TLSv1.2).

DESCRIPTION

The openssl ciphers command is a powerful utility within the OpenSSL toolkit, designed to display and manage cryptographic cipher suites. It allows users to list all available SSL/TLS cipher suites supported by their OpenSSL installation, filter them using a flexible colon-separated string format, and retrieve detailed information about each cipher. This tool is fundamental for system administrators and developers configuring and auditing the cryptographic security of applications that rely on SSL/TLS. By using openssl ciphers, one can ensure that only desired and secure cipher suites are enabled, helping to mitigate risks associated with weak or outdated cryptographic protocols. It provides insights into the various components of a cipher suite, such as the protocol version, key exchange method, authentication mechanism, encryption algorithm, and message digest function, which are crucial for maintaining robust network security.

CAVEATS

The prompt refers to ciphers.1s, which is a common man page section reference, implying the command openssl ciphers found in section 1 of the OpenSSL manual. The actual command executed on a Linux system is openssl ciphers.
The list of supported ciphers and their details can vary significantly based on the installed OpenSSL version and its compile-time configuration.
Understanding the complex cipherlist string format requires familiarity with SSL/TLS terminology and OpenSSL's specific syntax.

CIPHER LIST STRING SYNTAX

The cipherlist argument is a powerful and flexible colon-separated string used to filter and order cipher suites. It supports keywords like HIGH, MEDIUM, LOW, DEFAULT, TLSv1.2, !aNULL, +SHA, etc., allowing precise control over which ciphers are included or excluded based on their security properties, protocol versions, and algorithms. This syntax is common across various OpenSSL functions and configurations.

SECURITY BEST PRACTICES

Utilizing openssl ciphers is crucial for implementing security best practices. It helps identify and disable weak or deprecated cipher suites (e.g., those using MD5, SHA1 for authentication, or short key lengths) and enforce the use of modern, strong ciphers (e.g., AES-GCM, ChaCha20-Poly1305 with TLS 1.2 or 1.3). Regular auditing of supported ciphers is recommended to adapt to the evolving threat landscape.

HISTORY

The openssl ciphers command has been an integral part of the OpenSSL toolkit for many years, evolving alongside the SSL/TLS protocols themselves. Its development has consistently aimed to provide users with tools to inspect and manage cryptographic capabilities, adapting to new protocol versions (like TLS 1.2 and TLS 1.3) and addressing emerging security vulnerabilities in older ciphers. Its consistent presence and enhancements underline its critical role in the security hardening of network services.

SEE ALSO

openssl(1), s_client(1), s_server(1), config(5), ssl(3)

Copied to clipboard