Cipher Strings with openldap / NSS

Updated

Details of what constitutes a valid cipher string with openldap that uses NSS in RHEL7 and RHEL6

This article is part of the Securing Applications Collection

String formats

Cipher Strings in openldap/nss follow a specific format that approximates the openssl definitions.

The cipher string must consist of one or more colon-seperated keywords. Each of these keywords may be prefixed by one of the following modifier characters '!', '+', or '-'. In the absence of one of these modifiers '+' is assumed.

The keywords must be either composite keywords or cipher names as listed below.

Composite Keywords

  • ALL

  • COMPLEMENTOFALL

  • DEFAULT

  • RSA

  • NULL

  • eNULL

  • AES128

  • AES256

  • AES

  • 3DES

  • DES

  • RC4

  • RC2

  • MD5

  • SHA

  • SHA1

  • EDH

  • DSS

  • CAMELLIA128

  • CAMELLIA256

  • CAMELLIA

  • SEED

  • ECDH

  • ECDHE

  • ECDSA

  • SSLv2

  • SSLv3

  • TLSv1

  • HIGH

  • MEDIUM

  • LOW

  • EXPORT

  • EXP

  • EXPORT40

  • EXPORT56

Explicit Cipher Names

  • DES-CBC-MD5

  • DES-CBC3-MD5

  • RC2-CBC-MD5

  • RC4-MD5

  • EXP-RC2-CBC-MD5

  • EXP-RC4-MD5

  • NULL-MD5

  • NULL-SHA

  • DES-CBC-SHA

  • DES-CBC3-SHA

  • RC4-MD5

  • RC4-SHA

  • EXP-RC2-CBC-MD5

  • EXP-RC4-MD5

  • EDH-RSA-DES-CBC-SHA

  • EDH-RSA-DES-CBC3-SHA

  • EDH-DSS-DES-CBC-SHA

  • EDH-DSS-DES-CBC3-SHA

  • EXP1024-DES-CBC-SHA

  • EXP1024-RC4-SHA

  • SEED-SHA

  • AES128-SHA

  • AES256-SHA

  • CAMELLIA256-SHA

  • CAMELLIA128-SHA

  • DHE-RSA-AES128-SHA

  • DHE-RSA-AES256-SHA

  • DHE-RSA-CAMELLIA128-SHA

  • DHE-RSA-CAMELLIA256-SHA

  • DHE-DSS-RC4-SHA

  • DHE-DSS-AES128-SHA

  • DHE-DSS-AES256-SHA

  • DHE-DSS-CAMELLIA128-SHA

  • DHE-DSS-CAMELLIA256-SHA

  • ECDH-RSA-NULL-SHA

  • ECDH-RSA-RC4-SHA

  • ECDH-RSA-DES-CBC3-SHA

  • ECDH-RSA-AES128-SHA

  • ECDH-RSA-AES256-SHA

  • ECDH-ECDSA-NULL-SHA

  • ECDH-ECDSA-RC4-SHA

  • ECDH-ECDSA-DES-CBC3-SHA

  • ECDH-ECDSA-AES128-SHA

  • ECDH-ECDSA-AES256-SHA

  • ECDHE-RSA-NULL-SHA

  • ECDHE-RSA-RC4-SHA

  • ECDHE-RSA-DES-CBC3-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-RSA-AES256-SHA

  • ECDHE-ECDSA-NULL-SHA

  • ECDHE-ECDSA-RC4-SHA

  • ECDHE-ECDSA-DES-CBC3-SHA

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-ECDSA-AES256-SHA

Cipher String Examples

    ECDHE-RSA-AES256-SHA384:AES256-SHA256:!RC4:HIGH:!MD5:!EDH:!EXP:!SSLV2:!eNULL

Strongest available ciphers only

EECDH:EDH:CAMELLIA:ECDH:RSA:!eNULL:!SSLv2:!RC4:!DES:!EXP:!SEED:!IDEA:!3DES

Strongest ciphers by general family

ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

Most ciphers.

Product(s)
Category
Components
Tags
Article Type