Cipher Strings with openldap / NSS

Updated -

Details of what constitutes a valid cipher string with openldap that uses NSS in RHEL7 and RHEL6

This article is part of the Securing Applications Collection

String formats

Cipher Strings in openldap/nss follow a specific format that approximates the openssl definitions.

The cipher string must consist of one or more colon-seperated keywords. Each of these keywords may be prefixed by one of the following modifier characters '!', '+', or '-'. In the absence of one of these modifiers '+' is assumed.

The keywords must be either composite keywords or cipher names as listed below.

Composite Keywords

  • ALL

  • COMPLEMENTOFALL

  • DEFAULT

  • RSA

  • NULL
  • eNULL
  • AES128
  • AES256
  • AES
  • 3DES
  • DES
  • RC4
  • RC2
  • MD5
  • SHA
  • SHA1
  • EDH
  • DSS
  • CAMELLIA128
  • CAMELLIA256
  • CAMELLIA
  • SEED
  • ECDH
  • ECDHE
  • ECDSA
  • SSLv2
  • SSLv3
  • TLSv1
  • HIGH
  • MEDIUM
  • LOW
  • EXPORT
  • EXP
  • EXPORT40
  • EXPORT56

Explicit Cipher Names

  • DES-CBC-MD5
  • DES-CBC3-MD5
  • RC2-CBC-MD5
  • RC4-MD5
  • EXP-RC2-CBC-MD5

  • EXP-RC4-MD5

  • NULL-MD5

  • NULL-SHA
  • DES-CBC-SHA
  • DES-CBC3-SHA
  • RC4-MD5
  • RC4-SHA
  • EXP-RC2-CBC-MD5
  • EXP-RC4-MD5
  • EDH-RSA-DES-CBC-SHA
  • EDH-RSA-DES-CBC3-SHA
  • EDH-DSS-DES-CBC-SHA

  • EDH-DSS-DES-CBC3-SHA

  • EXP1024-DES-CBC-SHA

  • EXP1024-RC4-SHA
  • SEED-SHA
  • AES128-SHA
  • AES256-SHA
  • CAMELLIA256-SHA
  • CAMELLIA128-SHA
  • DHE-RSA-AES128-SHA
  • DHE-RSA-AES256-SHA

  • DHE-RSA-CAMELLIA128-SHA

  • DHE-RSA-CAMELLIA256-SHA

  • DHE-DSS-RC4-SHA
  • DHE-DSS-AES128-SHA
  • DHE-DSS-AES256-SHA
  • DHE-DSS-CAMELLIA128-SHA
  • DHE-DSS-CAMELLIA256-SHA
  • ECDH-RSA-NULL-SHA
  • ECDH-RSA-RC4-SHA
  • ECDH-RSA-DES-CBC3-SHA
  • ECDH-RSA-AES128-SHA
  • ECDH-RSA-AES256-SHA
  • ECDH-ECDSA-NULL-SHA
  • ECDH-ECDSA-RC4-SHA
  • ECDH-ECDSA-DES-CBC3-SHA
  • ECDH-ECDSA-AES128-SHA
  • ECDH-ECDSA-AES256-SHA
  • ECDHE-RSA-NULL-SHA
  • ECDHE-RSA-RC4-SHA
  • ECDHE-RSA-DES-CBC3-SHA
  • ECDHE-RSA-AES128-SHA
  • ECDHE-RSA-AES256-SHA
  • ECDHE-ECDSA-NULL-SHA
  • ECDHE-ECDSA-RC4-SHA
  • ECDHE-ECDSA-DES-CBC3-SHA
  • ECDHE-ECDSA-AES128-SHA
  • ECDHE-ECDSA-AES256-SHA

Cipher String Examples

    ECDHE-RSA-AES256-SHA384:AES256-SHA256:!RC4:HIGH:!MD5:!EDH:!EXP:!SSLV2:!eNULL

Strongest available ciphers only

EECDH:EDH:CAMELLIA:ECDH:RSA:!eNULL:!SSLv2:!RC4:!DES:!EXP:!SEED:!IDEA:!3DES

Strongest ciphers by general family

ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

Most ciphers.

Comments