Ciphersuites configuration: unknown command
Andrew Clayton
andrew at digital-domain.net
Tue Oct 8 16:17:10 UTC 2024
On Tue, 8 Oct 2024 10:13:17 +0200
Ariel Goyeneche <agoyeneche at gmail.com> wrote:
> Hi Andrew,
>
> Thanks for the answer. I believe that you are suggesting that these
> parameters are passed through to the underlying ssl as command line
> parameters.
> I tried all possible alternatives that I was able to find online (-, camel
> case, lower case underscore separated) but I am always getting the same
> error
> *unknown command "ciphersuites" in "conf_commands"
> *unknown command "-ciphersuites" in "conf_commands"
> *unknown command "ciphers" in "conf_commands"
> *unknown command "-ciphers" in "conf_commands"
>
> Anyone else in the community that managed to get this config working please?
> My openssl version is : OpenSSL 1.0.2k-fips 26 Jan 2017
OK, so the following works for me with OpenSSL 3.2.2
"tls": {
"certificate": "bundle",
"conf_commands": {
"ciphersuites": "TLS_AES_256_GCM_SHA384",
"minprotocol": "TLSv1.2"
}
}
For OpenSSL 1.0.2 it looks like you should use "cipher" (singular)
instead of "ciphersuites".
MinProtocol isn't in 1.0.2, but there is 'Protocol' that you may be
able to use instead (however it's deprecated in favour of MinProtocol &
MaxProtocol in newer versions).
From the 1.0.2 SSL_CONF_cmd(3ossl) man-page for 'Protocol'
"The supported versions of the SSL or TLS protocol.
The value argument is a comma separated list of supported
protocols to enable or disable. If an protocol is preceded
by - that version is disabled. Currently supported protocol
values are SSLv2, SSLv3, TLSv1, TLSv1.1 and TLSv1.2. All
protocol versions other than SSLv2 are enabled by default.
To avoid inadvertent enabling of SSLv2, when SSLv2 is
disabled, it is not possible to enable it via the Protocol
command."
More information about the unit
mailing list