openssl on RHEL7

Updated

openssl on RHEL7 is originally based on openssl-1.0.1e but was rebased to openssl-1.0.2k with RHEL7.4

This article is part of the Securing Applications Collection

Due to the serious issues with the design of TLS and implementation issues in openssl uncovered during the lifetime of RHEL7 you should always use the latest version but at least

 openssl-1.0.2k-21.el7_9

Capabilities

Protocols

  • TLSv1.2
  • TLSv1.1
  • TLSv1
  • SSLv3
  • SSLv2 - REMOVED IN RHEL7.4/openssl-1.0.2k

Ciphers

$ openssl ciphers -v
Cipher NameProtocolKey ExchangeAuthenticationEncryptionMsg Authentication
ECDHE-RSA-AES256-GCM-SHA384TLSv1.2Kx=ECDHAu=RSAEnc=AESGCM(256)Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384TLSv1.2Kx=ECDHAu=ECDSAEnc=AESGCM(256)Mac=AEAD
ECDHE-RSA-AES256-SHA384TLSv1.2Kx=ECDHAu=RSAEnc=AES(256)Mac=SHA384
ECDHE-ECDSA-AES256-SHA384TLSv1.2Kx=ECDHAu=ECDSAEnc=AES(256)Mac=SHA384
ECDHE-RSA-AES256-SHASSLv3Kx=ECDHAu=RSAEnc=AES(256)Mac=SHA1
ECDHE-ECDSA-AES256-SHASSLv3Kx=ECDHAu=ECDSAEnc=AES(256)Mac=SHA1
DH-DSS-AES256-GCM-SHA384TLSv1.2Kx=DH/DSSAu=DHEnc=AESGCM(256)Mac=AEAD
DHE-DSS-AES256-GCM-SHA384TLSv1.2Kx=DHAu=DSSEnc=AESGCM(256)Mac=AEAD
DH-RSA-AES256-GCM-SHA384TLSv1.2Kx=DH/RSAAu=DHEnc=AESGCM(256)Mac=AEAD
DHE-RSA-AES256-GCM-SHA384TLSv1.2Kx=DHAu=RSAEnc=AESGCM(256)Mac=AEAD
DHE-RSA-AES256-SHA256TLSv1.2Kx=DHAu=RSAEnc=AES(256)Mac=SHA256
DHE-DSS-AES256-SHA256TLSv1.2Kx=DHAu=DSSEnc=AES(256)Mac=SHA256
DH-RSA-AES256-SHA256TLSv1.2Kx=DH/RSAAu=DHEnc=AES(256)Mac=SHA256
DH-DSS-AES256-SHA256TLSv1.2Kx=DH/DSSAu=DHEnc=AES(256)Mac=SHA256
DHE-RSA-AES256-SHASSLv3Kx=DHAu=RSAEnc=AES(256)Mac=SHA1
DHE-DSS-AES256-SHASSLv3Kx=DHAu=DSSEnc=AES(256)Mac=SHA1
DH-RSA-AES256-SHASSLv3Kx=DH/RSAAu=DHEnc=AES(256)Mac=SHA1
DH-DSS-AES256-SHASSLv3Kx=DH/DSSAu=DHEnc=AES(256)Mac=SHA1
DHE-RSA-CAMELLIA256-SHASSLv3Kx=DHAu=RSAEnc=Camellia(256)Mac=SHA1
DHE-DSS-CAMELLIA256-SHASSLv3Kx=DHAu=DSSEnc=Camellia(256)Mac=SHA1
DH-RSA-CAMELLIA256-SHASSLv3Kx=DH/RSAAu=DHEnc=Camellia(256)Mac=SHA1
DH-DSS-CAMELLIA256-SHASSLv3Kx=DH/DSSAu=DHEnc=Camellia(256)Mac=SHA1
ECDH-RSA-AES256-GCM-SHA384TLSv1.2Kx=ECDH/RSAAu=ECDHEnc=AESGCM(256)Mac=AEAD
ECDH-ECDSA-AES256-GCM-SHA384TLSv1.2Kx=ECDH/ECDSAAu=ECDHEnc=AESGCM(256)Mac=AEAD
ECDH-RSA-AES256-SHA384TLSv1.2Kx=ECDH/RSAAu=ECDHEnc=AES(256)Mac=SHA384
ECDH-ECDSA-AES256-SHA384TLSv1.2Kx=ECDH/ECDSAAu=ECDHEnc=AES(256)Mac=SHA384
ECDH-RSA-AES256-SHASSLv3Kx=ECDH/RSAAu=ECDHEnc=AES(256)Mac=SHA1
ECDH-ECDSA-AES256-SHASSLv3Kx=ECDH/ECDSAAu=ECDHEnc=AES(256)Mac=SHA1
AES256-GCM-SHA384TLSv1.2Kx=RSAAu=RSAEnc=AESGCM(256)Mac=AEAD
AES256-SHA256TLSv1.2Kx=RSAAu=RSAEnc=AES(256)Mac=SHA256
AES256-SHASSLv3Kx=RSAAu=RSAEnc=AES(256)Mac=SHA1
CAMELLIA256-SHASSLv3Kx=RSAAu=RSAEnc=Camellia(256)Mac=SHA1
PSK-AES256-CBC-SHASSLv3Kx=PSKAu=PSKEnc=AES(256)Mac=SHA1
ECDHE-RSA-AES128-GCM-SHA256TLSv1.2Kx=ECDHAu=RSAEnc=AESGCM(128)Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256TLSv1.2Kx=ECDHAu=ECDSAEnc=AESGCM(128)Mac=AEAD
ECDHE-RSA-AES128-SHA256TLSv1.2Kx=ECDHAu=RSAEnc=AES(128)Mac=SHA256
ECDHE-ECDSA-AES128-SHA256TLSv1.2Kx=ECDHAu=ECDSAEnc=AES(128)Mac=SHA256
ECDHE-RSA-AES128-SHASSLv3Kx=ECDHAu=RSAEnc=AES(128)Mac=SHA1
ECDHE-ECDSA-AES128-SHASSLv3Kx=ECDHAu=ECDSAEnc=AES(128)Mac=SHA1
DH-DSS-AES128-GCM-SHA256TLSv1.2Kx=DH/DSSAu=DHEnc=AESGCM(128)Mac=AEAD
DHE-DSS-AES128-GCM-SHA256TLSv1.2Kx=DHAu=DSSEnc=AESGCM(128)Mac=AEAD
DH-RSA-AES128-GCM-SHA256TLSv1.2Kx=DH/RSAAu=DHEnc=AESGCM(128)Mac=AEAD
DHE-RSA-AES128-GCM-SHA256TLSv1.2Kx=DHAu=RSAEnc=AESGCM(128)Mac=AEAD
DHE-RSA-AES128-SHA256TLSv1.2Kx=DHAu=RSAEnc=AES(128)Mac=SHA256
DHE-DSS-AES128-SHA256TLSv1.2Kx=DHAu=DSSEnc=AES(128)Mac=SHA256
DH-RSA-AES128-SHA256TLSv1.2Kx=DH/RSAAu=DHEnc=AES(128)Mac=SHA256
DH-DSS-AES128-SHA256TLSv1.2Kx=DH/DSSAu=DHEnc=AES(128)Mac=SHA256
DHE-RSA-AES128-SHASSLv3Kx=DHAu=RSAEnc=AES(128)Mac=SHA1
DHE-DSS-AES128-SHASSLv3Kx=DHAu=DSSEnc=AES(128)Mac=SHA1
DH-RSA-AES128-SHASSLv3Kx=DH/RSAAu=DHEnc=AES(128)Mac=SHA1
DH-DSS-AES128-SHASSLv3Kx=DH/DSSAu=DHEnc=AES(128)Mac=SHA1
DHE-RSA-SEED-SHASSLv3Kx=DHAu=RSAEnc=SEED(128)Mac=SHA1
DHE-DSS-SEED-SHASSLv3Kx=DHAu=DSSEnc=SEED(128)Mac=SHA1
DH-RSA-SEED-SHASSLv3Kx=DH/RSAAu=DHEnc=SEED(128)Mac=SHA1
DH-DSS-SEED-SHASSLv3Kx=DH/DSSAu=DHEnc=SEED(128)Mac=SHA1
DHE-RSA-CAMELLIA128-SHASSLv3Kx=DHAu=RSAEnc=Camellia(128)Mac=SHA1
DHE-DSS-CAMELLIA128-SHASSLv3Kx=DHAu=DSSEnc=Camellia(128)Mac=SHA1
DH-RSA-CAMELLIA128-SHASSLv3Kx=DH/RSAAu=DHEnc=Camellia(128)Mac=SHA1
DH-DSS-CAMELLIA128-SHASSLv3Kx=DH/DSSAu=DHEnc=Camellia(128)Mac=SHA1
ECDH-RSA-AES128-GCM-SHA256TLSv1.2Kx=ECDH/RSAAu=ECDHEnc=AESGCM(128)Mac=AEAD
ECDH-ECDSA-AES128-GCM-SHA256TLSv1.2Kx=ECDH/ECDSAAu=ECDHEnc=AESGCM(128)Mac=AEAD
ECDH-RSA-AES128-SHA256TLSv1.2Kx=ECDH/RSAAu=ECDHEnc=AES(128)Mac=SHA256
ECDH-ECDSA-AES128-SHA256TLSv1.2Kx=ECDH/ECDSAAu=ECDHEnc=AES(128)Mac=SHA256
ECDH-RSA-AES128-SHASSLv3Kx=ECDH/RSAAu=ECDHEnc=AES(128)Mac=SHA1
ECDH-ECDSA-AES128-SHASSLv3Kx=ECDH/ECDSAAu=ECDHEnc=AES(128)Mac=SHA1
AES128-GCM-SHA256TLSv1.2Kx=RSAAu=RSAEnc=AESGCM(128)Mac=AEAD
AES128-SHA256TLSv1.2Kx=RSAAu=RSAEnc=AES(128)Mac=SHA256
AES128-SHASSLv3Kx=RSAAu=RSAEnc=AES(128)Mac=SHA1
SEED-SHASSLv3Kx=RSAAu=RSAEnc=SEED(128)Mac=SHA1
CAMELLIA128-SHASSLv3Kx=RSAAu=RSAEnc=Camellia(128)Mac=SHA1
PSK-AES128-CBC-SHASSLv3Kx=PSKAu=PSKEnc=AES(128)Mac=SHA1
ECDHE-RSA-DES-CBC3-SHASSLv3Kx=ECDHAu=RSAEnc=3DES(168)Mac=SHA1
ECDHE-ECDSA-DES-CBC3-SHASSLv3Kx=ECDHAu=ECDSAEnc=3DES(168)Mac=SHA1
EDH-RSA-DES-CBC3-SHASSLv3Kx=DHAu=RSAEnc=3DES(168)Mac=SHA1
EDH-DSS-DES-CBC3-SHASSLv3Kx=DHAu=DSSEnc=3DES(168)Mac=SHA1
DH-RSA-DES-CBC3-SHASSLv3Kx=DH/RSAAu=DHEnc=3DES(168)Mac=SHA1
DH-DSS-DES-CBC3-SHASSLv3Kx=DH/DSSAu=DHEnc=3DES(168)Mac=SHA1
ECDH-RSA-DES-CBC3-SHASSLv3Kx=ECDH/RSAAu=ECDHEnc=3DES(168)Mac=SHA1
ECDH-ECDSA-DES-CBC3-SHASSLv3Kx=ECDH/ECDSAAu=ECDHEnc=3DES(168)Mac=SHA1
DES-CBC3-SHASSLv3Kx=RSAAu=RSAEnc=3DES(168)Mac=SHA1
IDEA-CBC-SHASSLv3Kx=RSAAu=RSAEnc=IDEA(128)Mac=SHA1
PSK-3DES-EDE-CBC-SHASSLv3Kx=PSKAu=PSKEnc=3DES(168)Mac=SHA1
KRB5-IDEA-CBC-SHASSLv3Kx=KRB5Au=KRB5Enc=IDEA(128)Mac=SHA1
KRB5-DES-CBC3-SHASSLv3Kx=KRB5Au=KRB5Enc=3DES(168)Mac=SHA1
KRB5-IDEA-CBC-MD5SSLv3Kx=KRB5Au=KRB5Enc=IDEA(128)Mac=MD5
KRB5-DES-CBC3-MD5SSLv3Kx=KRB5Au=KRB5Enc=3DES(168)Mac=MD5
ECDHE-RSA-RC4-SHASSLv3Kx=ECDHAu=RSAEnc=RC4(128)Mac=SHA1
ECDHE-ECDSA-RC4-SHASSLv3Kx=ECDHAu=ECDSAEnc=RC4(128)Mac=SHA1
ECDH-RSA-RC4-SHASSLv3Kx=ECDH/RSAAu=ECDHEnc=RC4(128)Mac=SHA1
ECDH-ECDSA-RC4-SHASSLv3Kx=ECDH/ECDSAAu=ECDHEnc=RC4(128)Mac=SHA1
RC4-SHASSLv3Kx=RSAAu=RSAEnc=RC4(128)Mac=SHA1
RC4-MD5SSLv3Kx=RSAAu=RSAEnc=RC4(128)Mac=MD5
PSK-RC4-SHASSLv3Kx=PSKAu=PSKEnc=RC4(128)Mac=SHA1
KRB5-RC4-SHASSLv3Kx=KRB5Au=KRB5Enc=RC4(128)Mac=SHA1
KRB5-RC4-MD5SSLv3Kx=KRB5Au=KRB5Enc=RC4(128)Mac=MD5

Certificates

  • certificates with RSA keys and SHA-1 or SHA-256 signatures.
  • certificates with EC keys and DSA or SHA-256 signatures

Hashes

  • md5 message digest algorithm (default for dgst sub-command)
  • md4 message digest algorithm
  • md2 message digest algorithm
  • sha1 message digest algorithm
  • sha message digest algorithm
  • sha224 message digest algorithm
  • sha256 message digest algorithm (default for signatures)
  • sha384 message digest algorithm
  • sha512 message digest algorithm
  • ripemd160 message digest algorithm
  • whirlpool message digest algorithm

Notes for 7.4/1.0.2k

Additional Notes

Various other refinements have been made with the update to 1.0.2k.

  • Added support for the Datagram Transport Layer Security TLS (DTLS) protocol version 1.2.

  • Added support for the automatic elliptic curve selection for the ECDHE key exchange in TLS.

  • Added support for the Application-Layer Protocol Negotiation (ALPN).

  • Added Cryptographic Message Syntax (CMS) support for the following schemes: RSA-PSS, RSA-OAEP, ECDH, and X9.42 DH.

  • MD5, MD4, and SHA0 can no longer be used as signing algorithms in OpenSSL

  • OpenSSL clients no longer allow connections to servers with DH shorter than 1024 bits

  • SSL2.0 support has been completely removed from OpenSSL

  • EXPORT cipher suites in OpenSSL have been deprecated

For further details please review the release notes and deprecation notes

Product(s)
Category
Tags
Article Type