Try to explain DEFAULT in ciphers#5429
Try to explain DEFAULT in ciphers#5429richsalz wants to merge 1 commit intoopenssl:masterfrom richsalz:gh5420
Conversation
doc/man1/ciphers.pod
Outdated
There was a problem hiding this comment.
Not just "cannot be prefixed": even DEFAULT+ECDH will not behave as other cipher string would (ie. select what is in DEFAULT and uses ECDH).
There was a problem hiding this comment.
That is not what + means. Try these:
openssl ciphers -v DEFAULT | tail
openssl ciphers -v DEFAULT+RSA | tail
It does not do an AND. It does a "move to end of the list."
There was a problem hiding this comment.
You can do RSA+AES, where + does mean and. DEFAULT+AES does not work because of the bug. On the other hand ALL+RSA:!COMPLEMENTOFDEFAULT:!eNULL works.
doc/man1/ciphers.pod
Outdated
There was a problem hiding this comment.
IIUC from comments by people who have read the code, they are taken as cipher string, not cipher name. ie, DEFAULT-ECDH means what DEFAULT:-ECDH would, although -ECDH is not a cipher name.
There was a problem hiding this comment.
Yes, I guess so. The terminology in this page is poor.
doc/man1/ciphers.pod
Outdated
There was a problem hiding this comment.
tnx.
Updated commit pushed.
Thanks to Thomas Mraz and Alois Mahdal for helping with this.
|
For this case would providing a warning help or add to the confusion? Something like |
|
So the docs that say "move to the end, but adds no ciphers" are wrong. |
|
However, due to the strange behavior, IMO easiest way to understand is to just realize that |
|
#5428 is better, closing this. |
Fixes #5420. Alternate version for #5428.