From da763b66783685cced48d6795d8ddf3de76200fd Mon Sep 17 00:00:00 2001 From: Fabian Keil Date: Tue, 6 Oct 2020 16:04:08 +0200 Subject: [PATCH] Add documentation for the cipher-list directive --- doc/source/p-config.sgml | 125 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 125 insertions(+) diff --git a/doc/source/p-config.sgml b/doc/source/p-config.sgml index 29770bc1..8a337839 100644 --- a/doc/source/p-config.sgml +++ b/doc/source/p-config.sgml @@ -4240,6 +4240,131 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t +cipher-list + + + Specifies: + + + A list of ciphers to use in TLS handshakes + + + + + Type of value: + + + Text + + + + + Default value: + + None + + + + Effect if unset: + + + A default value is inherited from the TLS library. + + + + + Notes: + + + This directive allows to specify a non-default list of ciphers to use + in TLS handshakes with clients and servers. + + + Ciphers are separated by colons. Which ciphers are supported + depends on the TLS library. When using OpenSSL, unsupported ciphers + are skipped. When using MbedTLS they are rejected. + + + + Specifying an unusual cipher list makes fingerprinting easier. + Note that the default list provided by the TLS library may + be unusual when compared to the one used by modern browsers + as well. + + + + + + Examples: + + + # Explicitly set a couple of ciphers with names used by MbedTLS + cipher-list cipher-list TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:\ +TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:\ +TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256:\ +TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:\ +TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:\ +TLS-ECDHE-ECDSA-WITH-AES-256-CCM:\ +TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8:\ +TLS-ECDHE-ECDSA-WITH-AES-128-CCM:\ +TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8:\ +TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-GCM-SHA256:\ +TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-GCM-SHA384:\ +TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:\ +TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:\ +TLS-ECDHE-RSA-WITH-CAMELLIA-128-GCM-SHA256:\ +TLS-ECDHE-RSA-WITH-CAMELLIA-256-GCM-SHA384:\ +TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:\ +TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:\ +TLS-DHE-RSA-WITH-AES-256-CCM:\ +TLS-DHE-RSA-WITH-AES-256-CCM-8:\ +TLS-DHE-RSA-WITH-AES-128-CCM:\ +TLS-DHE-RSA-WITH-AES-128-CCM-8:\ +TLS-DHE-RSA-WITH-CAMELLIA-128-GCM-SHA256:\ +TLS-DHE-RSA-WITH-CAMELLIA-256-GCM-SHA384:\ +TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256:\ +TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384:\ +TLS-ECDH-RSA-WITH-CAMELLIA-128-GCM-SHA256:\ +TLS-ECDH-RSA-WITH-CAMELLIA-256-GCM-SHA384:\ +TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256:\ +TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384:\ +TLS-ECDH-ECDSA-WITH-CAMELLIA-128-GCM-SHA256:\ +TLS-ECDH-ECDSA-WITH-CAMELLIA-256-GCM-SHA384 + + + # Explicitly set a couple of ciphers with names used by OpenSSL +cipher-list ECDHE-RSA-AES256-GCM-SHA384:\ +ECDHE-ECDSA-AES256-GCM-SHA384:\ +DH-DSS-AES256-GCM-SHA384:\ +DHE-DSS-AES256-GCM-SHA384:\ +DH-RSA-AES256-GCM-SHA384:\ +DHE-RSA-AES256-GCM-SHA384:\ +ECDH-RSA-AES256-GCM-SHA384:\ +ECDH-ECDSA-AES256-GCM-SHA384:\ +ECDHE-RSA-AES128-GCM-SHA256:\ +ECDHE-ECDSA-AES128-GCM-SHA256:\ +DH-DSS-AES128-GCM-SHA256:\ +DHE-DSS-AES128-GCM-SHA256:\ +DH-RSA-AES128-GCM-SHA256:\ +DHE-RSA-AES128-GCM-SHA256:\ +ECDH-RSA-AES128-GCM-SHA256:\ +ECDH-ECDSA-AES128-GCM-SHA256:\ +ECDHE-RSA-AES256-GCM-SHA384:\ +AES128-SHA + + + # Use keywords instead of explicity naming the ciphers (Does not work with MbedTLS) + cipher-list ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH + + + + + + + + + + trusted-cas-file -- 2.39.2