openssl on RHEL8

Updated 8 May 2019

openssl on RHEL8 is originally based on openssl-1.1.1

This article is part of the Securing Applications Collection

Cryptography in RHEL8

RHEL8 has a new mechnism to centralise the cryptographic defaults for a machine.
This is handled by the crypto-policies package. Details of the rationale and update policy can be found in other documents

Strong crypto defaults in RHEL-8 and deprecations of weak crypto algorithms

System-wide crypto policies in RHEL 8

The man page for the crypto-policies command.

Capabilities

Protocols

TLSv1.3
TLSv1.2
TLSv1.1
TLSv1

Cipher Suites

$ openssl ciphers -v

Suite Name	Minimum Protocol	Key Exchange	Authentication	Encryption	Msg Authentication
TLS_AES_256_GCM_SHA384	TLSv1.3	Kx=any	Au=any	Enc=AESGCM(256)	Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256	TLSv1.3	Kx=any	Au=any	Enc=CHACHA20/POLY1305(256)	Mac=AEAD
TLS_AES_128_GCM_SHA256	TLSv1.3	Kx=any	Au=any	Enc=AESGCM(128)	Mac=AEAD
TLS_AES_128_CCM_SHA256	TLSv1.3	Kx=any	Au=any	Enc=AESCCM(128)	Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384	TLSv1.2	Kx=ECDH	Au=ECDSA	Enc=AESGCM(256)	Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384	TLSv1.2	Kx=ECDH	Au=RSA	Enc=AESGCM(256)	Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305	TLSv1.2	Kx=ECDH	Au=ECDSA	Enc=CHACHA20/POLY1305(256)	Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305	TLSv1.2	Kx=ECDH	Au=RSA	Enc=CHACHA20/POLY1305(256)	Mac=AEAD
ECDHE-ECDSA-AES256-CCM	TLSv1.2	Kx=ECDH	Au=ECDSA	Enc=AESCCM(256)	Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256	TLSv1.2	Kx=ECDH	Au=ECDSA	Enc=AESGCM(128)	Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256	TLSv1.2	Kx=ECDH	Au=RSA	Enc=AESGCM(128)	Mac=AEAD
ECDHE-ECDSA-AES128-CCM	TLSv1.2	Kx=ECDH	Au=ECDSA	Enc=AESCCM(128)	Mac=AEAD
ECDHE-ECDSA-AES128-SHA256	TLSv1.2	Kx=ECDH	Au=ECDSA	Enc=AES(128)	Mac=SHA256
ECDHE-RSA-AES128-SHA256	TLSv1.2	Kx=ECDH	Au=RSA	Enc=AES(128)	Mac=SHA256
ECDHE-ECDSA-AES256-SHA	TLSv1	Kx=ECDH	Au=ECDSA	Enc=AES(256)	Mac=SHA1
ECDHE-RSA-AES256-SHA	TLSv1	Kx=ECDH	Au=RSA	Enc=AES(256)	Mac=SHA1
ECDHE-ECDSA-AES128-SHA	TLSv1	Kx=ECDH	Au=ECDSA	Enc=AES(128)	Mac=SHA1
ECDHE-RSA-AES128-SHA	TLSv1	Kx=ECDH	Au=RSA	Enc=AES(128)	Mac=SHA1
AES256-GCM-SHA384	TLSv1.2	Kx=RSA	Au=RSA	Enc=AESGCM(256)	Mac=AEAD
AES256-CCM	TLSv1.2	Kx=RSA	Au=RSA	Enc=AESCCM(256)	Mac=AEAD
AES128-GCM-SHA256	TLSv1.2	Kx=RSA	Au=RSA	Enc=AESGCM(128)	Mac=AEAD
AES128-CCM	TLSv1.2	Kx=RSA	Au=RSA	Enc=AESCCM(128)	Mac=AEAD
AES256-SHA256	TLSv1.2	Kx=RSA	Au=RSA	Enc=AES(256)	Mac=SHA256
AES128-SHA256	TLSv1.2	Kx=RSA	Au=RSA	Enc=AES(128)	Mac=SHA256
AES256-SHA	SSLv3	Kx=RSA	Au=RSA	Enc=AES(256)	Mac=SHA1
AES128-SHA	SSLv3	Kx=RSA	Au=RSA	Enc=AES(128)	Mac=SHA1
DHE-RSA-AES256-GCM-SHA384	TLSv1.2	Kx=DH	Au=RSA	Enc=AESGCM(256)	Mac=AEAD
DHE-RSA-CHACHA20-POLY1305	TLSv1.2	Kx=DH	Au=RSA	Enc=CHACHA20/POLY1305(256)	Mac=AEAD
DHE-RSA-AES256-CCM	TLSv1.2	Kx=DH	Au=RSA	Enc=AESCCM(256)	Mac=AEAD
DHE-RSA-AES128-GCM-SHA256	TLSv1.2	Kx=DH	Au=RSA	Enc=AESGCM(128)	Mac=AEAD
DHE-RSA-AES128-CCM	TLSv1.2	Kx=DH	Au=RSA	Enc=AESCCM(128)	Mac=AEAD
DHE-RSA-AES256-SHA256	TLSv1.2	Kx=DH	Au=RSA	Enc=AES(256)	Mac=SHA256
DHE-RSA-AES128-SHA256	TLSv1.2	Kx=DH	Au=RSA	Enc=AES(128)	Mac=SHA256
DHE-RSA-AES256-SHA	SSLv3	Kx=DH	Au=RSA	Enc=AES(256)	Mac=SHA1
DHE-RSA-AES128-SHA	SSLv3	Kx=DH	Au=RSA	Enc=AES(128)	Mac=SHA1
PSK-AES256-GCM-SHA384	TLSv1.2	Kx=PSK	Au=PSK	Enc=AESGCM(256)	Mac=AEAD
PSK-CHACHA20-POLY1305	TLSv1.2	Kx=PSK	Au=PSK	Enc=CHACHA20/POLY1305(256)	Mac=AEAD
PSK-AES256-CCM	TLSv1.2	Kx=PSK	Au=PSK	Enc=AESCCM(256)	Mac=AEAD
PSK-AES128-GCM-SHA256	TLSv1.2	Kx=PSK	Au=PSK	Enc=AESGCM(128)	Mac=AEAD
PSK-AES128-CCM	TLSv1.2	Kx=PSK	Au=PSK	Enc=AESCCM(128)	Mac=AEAD
PSK-AES256-CBC-SHA	SSLv3	Kx=PSK	Au=PSK	Enc=AES(256)	Mac=SHA1
PSK-AES128-CBC-SHA256	TLSv1	Kx=PSK	Au=PSK	Enc=AES(128)	Mac=SHA256
PSK-AES128-CBC-SHA	SSLv3	Kx=PSK	Au=PSK	Enc=AES(128)	Mac=SHA1
DHE-PSK-AES256-GCM-SHA384	TLSv1.2	Kx=DHEPSK	Au=PSK	Enc=AESGCM(256)	Mac=AEAD
DHE-PSK-CHACHA20-POLY1305	TLSv1.2	Kx=DHEPSK	Au=PSK	Enc=CHACHA20/POLY1305(256)	Mac=AEAD
DHE-PSK-AES256-CCM	TLSv1.2	Kx=DHEPSK	Au=PSK	Enc=AESCCM(256)	Mac=AEAD
DHE-PSK-AES128-GCM-SHA256	TLSv1.2	Kx=DHEPSK	Au=PSK	Enc=AESGCM(128)	Mac=AEAD
DHE-PSK-AES128-CCM	TLSv1.2	Kx=DHEPSK	Au=PSK	Enc=AESCCM(128)	Mac=AEAD
DHE-PSK-AES256-CBC-SHA	SSLv3	Kx=DHEPSK	Au=PSK	Enc=AES(256)	Mac=SHA1
DHE-PSK-AES128-CBC-SHA256	TLSv1	Kx=DHEPSK	Au=PSK	Enc=AES(128)	Mac=SHA256
DHE-PSK-AES128-CBC-SHA	SSLv3	Kx=DHEPSK	Au=PSK	Enc=AES(128)	Mac=SHA1
ECDHE-PSK-CHACHA20-POLY1305	TLSv1.2	Kx=ECDHEPSK	Au=PSK	Enc=CHACHA20/POLY1305(256)	Mac=AEAD
ECDHE-PSK-AES256-CBC-SHA	TLSv1	Kx=ECDHEPSK	Au=PSK	Enc=AES(256)	Mac=SHA1
ECDHE-PSK-AES128-CBC-SHA256	TLSv1	Kx=ECDHEPSK	Au=PSK	Enc=AES(128)	Mac=SHA256
ECDHE-PSK-AES128-CBC-SHA	TLSv1	Kx=ECDHEPSK	Au=PSK	Enc=AES(128)	Mac=SHA1

Certificates

certificates with RSA keys and SHA-1 or SHA-256 signatures.
certificates with EC keys and DSA or SHA-256 signatures

Hashes

blake2b512 message digest algorithm
blake2s256 message digest algorithm
gost message digest algorithm
md2 message digest algorithm
md4 message digest algorithm
md5 message digest algorithm
rmd160 message digest algorithm
sha1 message digest algorithm
sha224 message digest algorithm
sha256 message digest algorithm (default for dgst sub-command and signatures)
sha3-224 message digest algorithm
sha3-256 message digest algorithm
sha3-384 message digest algorithm
sha3-512 message digest algorithm
sha384 message digest algorithm
sha512 message digest algorithm
sha512-224 message digest algorithm
sha512-256 message digest algorithm
shake128 message digest algorithm
shake256 message digest algorithm
sm3 message digest algorithm

Product(s)

Red Hat Enterprise Linux

Category

Secure

Components

openssl

Tags

rhel_8

Article Type

General