openssl on RHEL7
Updated -
openssl on RHEL7 is originally based on openssl-1.0.1e but was rebased to openssl-1.0.2k with RHEL7.4
This article is part of the Securing Applications Collection
Due to the serious issues with the design of TLS and implementation issues in openssl uncovered during the lifetime of RHEL7 you should always use the latest version but at least
openssl-1.0.2k-21.el7_9
Capabilities
Protocols
- TLSv1.2
- TLSv1.1
- TLSv1
- SSLv3
- SSLv2 - REMOVED IN RHEL7.4/openssl-1.0.2k
Ciphers
$ openssl ciphers -v
| Cipher Name | Protocol | Key Exchange | Authentication | Encryption | Msg Authentication |
|---|---|---|---|---|---|
| ECDHE-RSA-AES256-GCM-SHA384 | TLSv1.2 | Kx=ECDH | Au=RSA | Enc=AESGCM(256) | Mac=AEAD |
| ECDHE-ECDSA-AES256-GCM-SHA384 | TLSv1.2 | Kx=ECDH | Au=ECDSA | Enc=AESGCM(256) | Mac=AEAD |
| ECDHE-RSA-AES256-SHA384 | TLSv1.2 | Kx=ECDH | Au=RSA | Enc=AES(256) | Mac=SHA384 |
| ECDHE-ECDSA-AES256-SHA384 | TLSv1.2 | Kx=ECDH | Au=ECDSA | Enc=AES(256) | Mac=SHA384 |
| ECDHE-RSA-AES256-SHA | SSLv3 | Kx=ECDH | Au=RSA | Enc=AES(256) | Mac=SHA1 |
| ECDHE-ECDSA-AES256-SHA | SSLv3 | Kx=ECDH | Au=ECDSA | Enc=AES(256) | Mac=SHA1 |
| DH-DSS-AES256-GCM-SHA384 | TLSv1.2 | Kx=DH/DSS | Au=DH | Enc=AESGCM(256) | Mac=AEAD |
| DHE-DSS-AES256-GCM-SHA384 | TLSv1.2 | Kx=DH | Au=DSS | Enc=AESGCM(256) | Mac=AEAD |
| DH-RSA-AES256-GCM-SHA384 | TLSv1.2 | Kx=DH/RSA | Au=DH | Enc=AESGCM(256) | Mac=AEAD |
| DHE-RSA-AES256-GCM-SHA384 | TLSv1.2 | Kx=DH | Au=RSA | Enc=AESGCM(256) | Mac=AEAD |
| DHE-RSA-AES256-SHA256 | TLSv1.2 | Kx=DH | Au=RSA | Enc=AES(256) | Mac=SHA256 |
| DHE-DSS-AES256-SHA256 | TLSv1.2 | Kx=DH | Au=DSS | Enc=AES(256) | Mac=SHA256 |
| DH-RSA-AES256-SHA256 | TLSv1.2 | Kx=DH/RSA | Au=DH | Enc=AES(256) | Mac=SHA256 |
| DH-DSS-AES256-SHA256 | TLSv1.2 | Kx=DH/DSS | Au=DH | Enc=AES(256) | Mac=SHA256 |
| DHE-RSA-AES256-SHA | SSLv3 | Kx=DH | Au=RSA | Enc=AES(256) | Mac=SHA1 |
| DHE-DSS-AES256-SHA | SSLv3 | Kx=DH | Au=DSS | Enc=AES(256) | Mac=SHA1 |
| DH-RSA-AES256-SHA | SSLv3 | Kx=DH/RSA | Au=DH | Enc=AES(256) | Mac=SHA1 |
| DH-DSS-AES256-SHA | SSLv3 | Kx=DH/DSS | Au=DH | Enc=AES(256) | Mac=SHA1 |
| DHE-RSA-CAMELLIA256-SHA | SSLv3 | Kx=DH | Au=RSA | Enc=Camellia(256) | Mac=SHA1 |
| DHE-DSS-CAMELLIA256-SHA | SSLv3 | Kx=DH | Au=DSS | Enc=Camellia(256) | Mac=SHA1 |
| DH-RSA-CAMELLIA256-SHA | SSLv3 | Kx=DH/RSA | Au=DH | Enc=Camellia(256) | Mac=SHA1 |
| DH-DSS-CAMELLIA256-SHA | SSLv3 | Kx=DH/DSS | Au=DH | Enc=Camellia(256) | Mac=SHA1 |
| ECDH-RSA-AES256-GCM-SHA384 | TLSv1.2 | Kx=ECDH/RSA | Au=ECDH | Enc=AESGCM(256) | Mac=AEAD |
| ECDH-ECDSA-AES256-GCM-SHA384 | TLSv1.2 | Kx=ECDH/ECDSA | Au=ECDH | Enc=AESGCM(256) | Mac=AEAD |
| ECDH-RSA-AES256-SHA384 | TLSv1.2 | Kx=ECDH/RSA | Au=ECDH | Enc=AES(256) | Mac=SHA384 |
| ECDH-ECDSA-AES256-SHA384 | TLSv1.2 | Kx=ECDH/ECDSA | Au=ECDH | Enc=AES(256) | Mac=SHA384 |
| ECDH-RSA-AES256-SHA | SSLv3 | Kx=ECDH/RSA | Au=ECDH | Enc=AES(256) | Mac=SHA1 |
| ECDH-ECDSA-AES256-SHA | SSLv3 | Kx=ECDH/ECDSA | Au=ECDH | Enc=AES(256) | Mac=SHA1 |
| AES256-GCM-SHA384 | TLSv1.2 | Kx=RSA | Au=RSA | Enc=AESGCM(256) | Mac=AEAD |
| AES256-SHA256 | TLSv1.2 | Kx=RSA | Au=RSA | Enc=AES(256) | Mac=SHA256 |
| AES256-SHA | SSLv3 | Kx=RSA | Au=RSA | Enc=AES(256) | Mac=SHA1 |
| CAMELLIA256-SHA | SSLv3 | Kx=RSA | Au=RSA | Enc=Camellia(256) | Mac=SHA1 |
| PSK-AES256-CBC-SHA | SSLv3 | Kx=PSK | Au=PSK | Enc=AES(256) | Mac=SHA1 |
| ECDHE-RSA-AES128-GCM-SHA256 | TLSv1.2 | Kx=ECDH | Au=RSA | Enc=AESGCM(128) | Mac=AEAD |
| ECDHE-ECDSA-AES128-GCM-SHA256 | TLSv1.2 | Kx=ECDH | Au=ECDSA | Enc=AESGCM(128) | Mac=AEAD |
| ECDHE-RSA-AES128-SHA256 | TLSv1.2 | Kx=ECDH | Au=RSA | Enc=AES(128) | Mac=SHA256 |
| ECDHE-ECDSA-AES128-SHA256 | TLSv1.2 | Kx=ECDH | Au=ECDSA | Enc=AES(128) | Mac=SHA256 |
| ECDHE-RSA-AES128-SHA | SSLv3 | Kx=ECDH | Au=RSA | Enc=AES(128) | Mac=SHA1 |
| ECDHE-ECDSA-AES128-SHA | SSLv3 | Kx=ECDH | Au=ECDSA | Enc=AES(128) | Mac=SHA1 |
| DH-DSS-AES128-GCM-SHA256 | TLSv1.2 | Kx=DH/DSS | Au=DH | Enc=AESGCM(128) | Mac=AEAD |
| DHE-DSS-AES128-GCM-SHA256 | TLSv1.2 | Kx=DH | Au=DSS | Enc=AESGCM(128) | Mac=AEAD |
| DH-RSA-AES128-GCM-SHA256 | TLSv1.2 | Kx=DH/RSA | Au=DH | Enc=AESGCM(128) | Mac=AEAD |
| DHE-RSA-AES128-GCM-SHA256 | TLSv1.2 | Kx=DH | Au=RSA | Enc=AESGCM(128) | Mac=AEAD |
| DHE-RSA-AES128-SHA256 | TLSv1.2 | Kx=DH | Au=RSA | Enc=AES(128) | Mac=SHA256 |
| DHE-DSS-AES128-SHA256 | TLSv1.2 | Kx=DH | Au=DSS | Enc=AES(128) | Mac=SHA256 |
| DH-RSA-AES128-SHA256 | TLSv1.2 | Kx=DH/RSA | Au=DH | Enc=AES(128) | Mac=SHA256 |
| DH-DSS-AES128-SHA256 | TLSv1.2 | Kx=DH/DSS | Au=DH | Enc=AES(128) | Mac=SHA256 |
| DHE-RSA-AES128-SHA | SSLv3 | Kx=DH | Au=RSA | Enc=AES(128) | Mac=SHA1 |
| DHE-DSS-AES128-SHA | SSLv3 | Kx=DH | Au=DSS | Enc=AES(128) | Mac=SHA1 |
| DH-RSA-AES128-SHA | SSLv3 | Kx=DH/RSA | Au=DH | Enc=AES(128) | Mac=SHA1 |
| DH-DSS-AES128-SHA | SSLv3 | Kx=DH/DSS | Au=DH | Enc=AES(128) | Mac=SHA1 |
| DHE-RSA-SEED-SHA | SSLv3 | Kx=DH | Au=RSA | Enc=SEED(128) | Mac=SHA1 |
| DHE-DSS-SEED-SHA | SSLv3 | Kx=DH | Au=DSS | Enc=SEED(128) | Mac=SHA1 |
| DH-RSA-SEED-SHA | SSLv3 | Kx=DH/RSA | Au=DH | Enc=SEED(128) | Mac=SHA1 |
| DH-DSS-SEED-SHA | SSLv3 | Kx=DH/DSS | Au=DH | Enc=SEED(128) | Mac=SHA1 |
| DHE-RSA-CAMELLIA128-SHA | SSLv3 | Kx=DH | Au=RSA | Enc=Camellia(128) | Mac=SHA1 |
| DHE-DSS-CAMELLIA128-SHA | SSLv3 | Kx=DH | Au=DSS | Enc=Camellia(128) | Mac=SHA1 |
| DH-RSA-CAMELLIA128-SHA | SSLv3 | Kx=DH/RSA | Au=DH | Enc=Camellia(128) | Mac=SHA1 |
| DH-DSS-CAMELLIA128-SHA | SSLv3 | Kx=DH/DSS | Au=DH | Enc=Camellia(128) | Mac=SHA1 |
| ECDH-RSA-AES128-GCM-SHA256 | TLSv1.2 | Kx=ECDH/RSA | Au=ECDH | Enc=AESGCM(128) | Mac=AEAD |
| ECDH-ECDSA-AES128-GCM-SHA256 | TLSv1.2 | Kx=ECDH/ECDSA | Au=ECDH | Enc=AESGCM(128) | Mac=AEAD |
| ECDH-RSA-AES128-SHA256 | TLSv1.2 | Kx=ECDH/RSA | Au=ECDH | Enc=AES(128) | Mac=SHA256 |
| ECDH-ECDSA-AES128-SHA256 | TLSv1.2 | Kx=ECDH/ECDSA | Au=ECDH | Enc=AES(128) | Mac=SHA256 |
| ECDH-RSA-AES128-SHA | SSLv3 | Kx=ECDH/RSA | Au=ECDH | Enc=AES(128) | Mac=SHA1 |
| ECDH-ECDSA-AES128-SHA | SSLv3 | Kx=ECDH/ECDSA | Au=ECDH | Enc=AES(128) | Mac=SHA1 |
| AES128-GCM-SHA256 | TLSv1.2 | Kx=RSA | Au=RSA | Enc=AESGCM(128) | Mac=AEAD |
| AES128-SHA256 | TLSv1.2 | Kx=RSA | Au=RSA | Enc=AES(128) | Mac=SHA256 |
| AES128-SHA | SSLv3 | Kx=RSA | Au=RSA | Enc=AES(128) | Mac=SHA1 |
| SEED-SHA | SSLv3 | Kx=RSA | Au=RSA | Enc=SEED(128) | Mac=SHA1 |
| CAMELLIA128-SHA | SSLv3 | Kx=RSA | Au=RSA | Enc=Camellia(128) | Mac=SHA1 |
| PSK-AES128-CBC-SHA | SSLv3 | Kx=PSK | Au=PSK | Enc=AES(128) | Mac=SHA1 |
| ECDHE-RSA-DES-CBC3-SHA | SSLv3 | Kx=ECDH | Au=RSA | Enc=3DES(168) | Mac=SHA1 |
| ECDHE-ECDSA-DES-CBC3-SHA | SSLv3 | Kx=ECDH | Au=ECDSA | Enc=3DES(168) | Mac=SHA1 |
| EDH-RSA-DES-CBC3-SHA | SSLv3 | Kx=DH | Au=RSA | Enc=3DES(168) | Mac=SHA1 |
| EDH-DSS-DES-CBC3-SHA | SSLv3 | Kx=DH | Au=DSS | Enc=3DES(168) | Mac=SHA1 |
| DH-RSA-DES-CBC3-SHA | SSLv3 | Kx=DH/RSA | Au=DH | Enc=3DES(168) | Mac=SHA1 |
| DH-DSS-DES-CBC3-SHA | SSLv3 | Kx=DH/DSS | Au=DH | Enc=3DES(168) | Mac=SHA1 |
| ECDH-RSA-DES-CBC3-SHA | SSLv3 | Kx=ECDH/RSA | Au=ECDH | Enc=3DES(168) | Mac=SHA1 |
| ECDH-ECDSA-DES-CBC3-SHA | SSLv3 | Kx=ECDH/ECDSA | Au=ECDH | Enc=3DES(168) | Mac=SHA1 |
| DES-CBC3-SHA | SSLv3 | Kx=RSA | Au=RSA | Enc=3DES(168) | Mac=SHA1 |
| IDEA-CBC-SHA | SSLv3 | Kx=RSA | Au=RSA | Enc=IDEA(128) | Mac=SHA1 |
| PSK-3DES-EDE-CBC-SHA | SSLv3 | Kx=PSK | Au=PSK | Enc=3DES(168) | Mac=SHA1 |
| KRB5-IDEA-CBC-SHA | SSLv3 | Kx=KRB5 | Au=KRB5 | Enc=IDEA(128) | Mac=SHA1 |
| KRB5-DES-CBC3-SHA | SSLv3 | Kx=KRB5 | Au=KRB5 | Enc=3DES(168) | Mac=SHA1 |
| KRB5-IDEA-CBC-MD5 | SSLv3 | Kx=KRB5 | Au=KRB5 | Enc=IDEA(128) | Mac=MD5 |
| KRB5-DES-CBC3-MD5 | SSLv3 | Kx=KRB5 | Au=KRB5 | Enc=3DES(168) | Mac=MD5 |
| ECDHE-RSA-RC4-SHA | SSLv3 | Kx=ECDH | Au=RSA | Enc=RC4(128) | Mac=SHA1 |
| ECDHE-ECDSA-RC4-SHA | SSLv3 | Kx=ECDH | Au=ECDSA | Enc=RC4(128) | Mac=SHA1 |
| ECDH-RSA-RC4-SHA | SSLv3 | Kx=ECDH/RSA | Au=ECDH | Enc=RC4(128) | Mac=SHA1 |
| ECDH-ECDSA-RC4-SHA | SSLv3 | Kx=ECDH/ECDSA | Au=ECDH | Enc=RC4(128) | Mac=SHA1 |
| RC4-SHA | SSLv3 | Kx=RSA | Au=RSA | Enc=RC4(128) | Mac=SHA1 |
| RC4-MD5 | SSLv3 | Kx=RSA | Au=RSA | Enc=RC4(128) | Mac=MD5 |
| PSK-RC4-SHA | SSLv3 | Kx=PSK | Au=PSK | Enc=RC4(128) | Mac=SHA1 |
| KRB5-RC4-SHA | SSLv3 | Kx=KRB5 | Au=KRB5 | Enc=RC4(128) | Mac=SHA1 |
| KRB5-RC4-MD5 | SSLv3 | Kx=KRB5 | Au=KRB5 | Enc=RC4(128) | Mac=MD5 |
Certificates
- certificates with RSA keys and SHA-1 or SHA-256 signatures.
- certificates with EC keys and DSA or SHA-256 signatures
Hashes
- md5 message digest algorithm (default for dgst sub-command)
- md4 message digest algorithm
- md2 message digest algorithm
- sha1 message digest algorithm
- sha message digest algorithm
- sha224 message digest algorithm
- sha256 message digest algorithm (default for signatures)
- sha384 message digest algorithm
- sha512 message digest algorithm
- ripemd160 message digest algorithm
- whirlpool message digest algorithm
Notes for 7.4/1.0.2k
Additional Notes
Various other refinements have been made with the update to 1.0.2k.
- Added support for the Datagram Transport Layer Security TLS (DTLS) protocol version 1.2.
- Added support for the automatic elliptic curve selection for the ECDHE key exchange in TLS.
- Added support for the Application-Layer Protocol Negotiation (ALPN).
-
Added Cryptographic Message Syntax (CMS) support for the following schemes: RSA-PSS, RSA-OAEP, ECDH, and X9.42 DH.
-
MD5, MD4, and SHA0 can no longer be used as signing algorithms in OpenSSL
- OpenSSL clients no longer allow connections to servers with DH shorter than 1024 bits
- SSL2.0 support has been completely removed from OpenSSL
- EXPORT cipher suites in OpenSSL have been deprecated
For further details please review the release notes and deprecation notes
Comments