openssl on RHEL8
Updated -
openssl on RHEL8 is originally based on openssl-1.1.1
This article is part of the Securing Applications Collection
Cryptography in RHEL8
RHEL8 has a new mechnism to centralise the cryptographic defaults for a machine.
This is handled by the crypto-policies package. Details of the rationale and update policy can be found in other documents
- Strong crypto defaults in RHEL-8 and deprecations of weak crypto algorithms
- System-wide crypto policies in RHEL 8
- The man page for the crypto-policies command.
Capabilities
Protocols
- TLSv1.3
- TLSv1.2
- TLSv1.1
- TLSv1
Cipher Suites
$ openssl ciphers -v
| Suite Name | Minimum Protocol | Key Exchange | Authentication | Encryption | Msg Authentication |
|---|---|---|---|---|---|
| TLS_AES_256_GCM_SHA384 | TLSv1.3 | Kx=any | Au=any | Enc=AESGCM(256) | Mac=AEAD |
| TLS_CHACHA20_POLY1305_SHA256 | TLSv1.3 | Kx=any | Au=any | Enc=CHACHA20/POLY1305(256) | Mac=AEAD |
| TLS_AES_128_GCM_SHA256 | TLSv1.3 | Kx=any | Au=any | Enc=AESGCM(128) | Mac=AEAD |
| TLS_AES_128_CCM_SHA256 | TLSv1.3 | Kx=any | Au=any | Enc=AESCCM(128) | Mac=AEAD |
| ECDHE-ECDSA-AES256-GCM-SHA384 | TLSv1.2 | Kx=ECDH | Au=ECDSA | Enc=AESGCM(256) | Mac=AEAD |
| ECDHE-RSA-AES256-GCM-SHA384 | TLSv1.2 | Kx=ECDH | Au=RSA | Enc=AESGCM(256) | Mac=AEAD |
| ECDHE-ECDSA-CHACHA20-POLY1305 | TLSv1.2 | Kx=ECDH | Au=ECDSA | Enc=CHACHA20/POLY1305(256) | Mac=AEAD |
| ECDHE-RSA-CHACHA20-POLY1305 | TLSv1.2 | Kx=ECDH | Au=RSA | Enc=CHACHA20/POLY1305(256) | Mac=AEAD |
| ECDHE-ECDSA-AES256-CCM | TLSv1.2 | Kx=ECDH | Au=ECDSA | Enc=AESCCM(256) | Mac=AEAD |
| ECDHE-ECDSA-AES128-GCM-SHA256 | TLSv1.2 | Kx=ECDH | Au=ECDSA | Enc=AESGCM(128) | Mac=AEAD |
| ECDHE-RSA-AES128-GCM-SHA256 | TLSv1.2 | Kx=ECDH | Au=RSA | Enc=AESGCM(128) | Mac=AEAD |
| ECDHE-ECDSA-AES128-CCM | TLSv1.2 | Kx=ECDH | Au=ECDSA | Enc=AESCCM(128) | Mac=AEAD |
| ECDHE-ECDSA-AES128-SHA256 | TLSv1.2 | Kx=ECDH | Au=ECDSA | Enc=AES(128) | Mac=SHA256 |
| ECDHE-RSA-AES128-SHA256 | TLSv1.2 | Kx=ECDH | Au=RSA | Enc=AES(128) | Mac=SHA256 |
| ECDHE-ECDSA-AES256-SHA | TLSv1 | Kx=ECDH | Au=ECDSA | Enc=AES(256) | Mac=SHA1 |
| ECDHE-RSA-AES256-SHA | TLSv1 | Kx=ECDH | Au=RSA | Enc=AES(256) | Mac=SHA1 |
| ECDHE-ECDSA-AES128-SHA | TLSv1 | Kx=ECDH | Au=ECDSA | Enc=AES(128) | Mac=SHA1 |
| ECDHE-RSA-AES128-SHA | TLSv1 | Kx=ECDH | Au=RSA | Enc=AES(128) | Mac=SHA1 |
| AES256-GCM-SHA384 | TLSv1.2 | Kx=RSA | Au=RSA | Enc=AESGCM(256) | Mac=AEAD |
| AES256-CCM | TLSv1.2 | Kx=RSA | Au=RSA | Enc=AESCCM(256) | Mac=AEAD |
| AES128-GCM-SHA256 | TLSv1.2 | Kx=RSA | Au=RSA | Enc=AESGCM(128) | Mac=AEAD |
| AES128-CCM | TLSv1.2 | Kx=RSA | Au=RSA | Enc=AESCCM(128) | Mac=AEAD |
| AES256-SHA256 | TLSv1.2 | Kx=RSA | Au=RSA | Enc=AES(256) | Mac=SHA256 |
| AES128-SHA256 | TLSv1.2 | Kx=RSA | Au=RSA | Enc=AES(128) | Mac=SHA256 |
| AES256-SHA | SSLv3 | Kx=RSA | Au=RSA | Enc=AES(256) | Mac=SHA1 |
| AES128-SHA | SSLv3 | Kx=RSA | Au=RSA | Enc=AES(128) | Mac=SHA1 |
| DHE-RSA-AES256-GCM-SHA384 | TLSv1.2 | Kx=DH | Au=RSA | Enc=AESGCM(256) | Mac=AEAD |
| DHE-RSA-CHACHA20-POLY1305 | TLSv1.2 | Kx=DH | Au=RSA | Enc=CHACHA20/POLY1305(256) | Mac=AEAD |
| DHE-RSA-AES256-CCM | TLSv1.2 | Kx=DH | Au=RSA | Enc=AESCCM(256) | Mac=AEAD |
| DHE-RSA-AES128-GCM-SHA256 | TLSv1.2 | Kx=DH | Au=RSA | Enc=AESGCM(128) | Mac=AEAD |
| DHE-RSA-AES128-CCM | TLSv1.2 | Kx=DH | Au=RSA | Enc=AESCCM(128) | Mac=AEAD |
| DHE-RSA-AES256-SHA256 | TLSv1.2 | Kx=DH | Au=RSA | Enc=AES(256) | Mac=SHA256 |
| DHE-RSA-AES128-SHA256 | TLSv1.2 | Kx=DH | Au=RSA | Enc=AES(128) | Mac=SHA256 |
| DHE-RSA-AES256-SHA | SSLv3 | Kx=DH | Au=RSA | Enc=AES(256) | Mac=SHA1 |
| DHE-RSA-AES128-SHA | SSLv3 | Kx=DH | Au=RSA | Enc=AES(128) | Mac=SHA1 |
| PSK-AES256-GCM-SHA384 | TLSv1.2 | Kx=PSK | Au=PSK | Enc=AESGCM(256) | Mac=AEAD |
| PSK-CHACHA20-POLY1305 | TLSv1.2 | Kx=PSK | Au=PSK | Enc=CHACHA20/POLY1305(256) | Mac=AEAD |
| PSK-AES256-CCM | TLSv1.2 | Kx=PSK | Au=PSK | Enc=AESCCM(256) | Mac=AEAD |
| PSK-AES128-GCM-SHA256 | TLSv1.2 | Kx=PSK | Au=PSK | Enc=AESGCM(128) | Mac=AEAD |
| PSK-AES128-CCM | TLSv1.2 | Kx=PSK | Au=PSK | Enc=AESCCM(128) | Mac=AEAD |
| PSK-AES256-CBC-SHA | SSLv3 | Kx=PSK | Au=PSK | Enc=AES(256) | Mac=SHA1 |
| PSK-AES128-CBC-SHA256 | TLSv1 | Kx=PSK | Au=PSK | Enc=AES(128) | Mac=SHA256 |
| PSK-AES128-CBC-SHA | SSLv3 | Kx=PSK | Au=PSK | Enc=AES(128) | Mac=SHA1 |
| DHE-PSK-AES256-GCM-SHA384 | TLSv1.2 | Kx=DHEPSK | Au=PSK | Enc=AESGCM(256) | Mac=AEAD |
| DHE-PSK-CHACHA20-POLY1305 | TLSv1.2 | Kx=DHEPSK | Au=PSK | Enc=CHACHA20/POLY1305(256) | Mac=AEAD |
| DHE-PSK-AES256-CCM | TLSv1.2 | Kx=DHEPSK | Au=PSK | Enc=AESCCM(256) | Mac=AEAD |
| DHE-PSK-AES128-GCM-SHA256 | TLSv1.2 | Kx=DHEPSK | Au=PSK | Enc=AESGCM(128) | Mac=AEAD |
| DHE-PSK-AES128-CCM | TLSv1.2 | Kx=DHEPSK | Au=PSK | Enc=AESCCM(128) | Mac=AEAD |
| DHE-PSK-AES256-CBC-SHA | SSLv3 | Kx=DHEPSK | Au=PSK | Enc=AES(256) | Mac=SHA1 |
| DHE-PSK-AES128-CBC-SHA256 | TLSv1 | Kx=DHEPSK | Au=PSK | Enc=AES(128) | Mac=SHA256 |
| DHE-PSK-AES128-CBC-SHA | SSLv3 | Kx=DHEPSK | Au=PSK | Enc=AES(128) | Mac=SHA1 |
| ECDHE-PSK-CHACHA20-POLY1305 | TLSv1.2 | Kx=ECDHEPSK | Au=PSK | Enc=CHACHA20/POLY1305(256) | Mac=AEAD |
| ECDHE-PSK-AES256-CBC-SHA | TLSv1 | Kx=ECDHEPSK | Au=PSK | Enc=AES(256) | Mac=SHA1 |
| ECDHE-PSK-AES128-CBC-SHA256 | TLSv1 | Kx=ECDHEPSK | Au=PSK | Enc=AES(128) | Mac=SHA256 |
| ECDHE-PSK-AES128-CBC-SHA | TLSv1 | Kx=ECDHEPSK | Au=PSK | Enc=AES(128) | Mac=SHA1 |
Certificates
- certificates with RSA keys and SHA-1 or SHA-256 signatures.
- certificates with EC keys and DSA or SHA-256 signatures
Hashes
- blake2b512 message digest algorithm
- blake2s256 message digest algorithm
- gost message digest algorithm
- md2 message digest algorithm
- md4 message digest algorithm
- md5 message digest algorithm
- rmd160 message digest algorithm
- sha1 message digest algorithm
- sha224 message digest algorithm
- sha256 message digest algorithm (default for dgst sub-command and signatures)
- sha3-224 message digest algorithm
- sha3-256 message digest algorithm
- sha3-384 message digest algorithm
- sha3-512 message digest algorithm
- sha384 message digest algorithm
- sha512 message digest algorithm
- sha512-224 message digest algorithm
- sha512-256 message digest algorithm
- shake128 message digest algorithm
- shake256 message digest algorithm
- sm3 message digest algorithm
Comments