Should I configure Ciphersuites on openssl after setting MinProtocol and CipherString?

Current OpenSSL version

OpenSSL 1.1.1d  10 Sep 2019 (Library: OpenSSL 1.1.1g  21 Apr 2020)

Current openssl.cnf configuration

At the top of the file

openssl_conf = default_conf

At the bottom of the file

[default_conf]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT@SECLEVEL=1

No Ciphersuites directive is set.

Supported cipher list differs from configuration

However, when I asks for the enabled ciphers with openssl ciphers -s -v, I get ciphers like :

DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
ECDHE-ECDSA-AES128-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
ECDHE-RSA-AES128-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1

Should I define a Ciphersuites setting, or is openssl ciphers -s -v unreliable in some way ?

Documentation

-s Only list supported ciphers: those consistent with the security level, and minimum and maximum protocol version.

While SecLevel 1 permits SSLv3 and TLSv1, MinProtocol doesn't.

Sources :

• https://www.openssl.org/docs/man1.1.1/man1/ciphers.html
• https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_security_level.html
• https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html

Solution 1:

Most ciphersuites are compatible with more than one protocol.

Except for TLS 1.3, which is completely separate, and SSL 2, which has been broken for decades and is no longer implemented by OpenSSL 1.1.0 (2016) up, most SSL/TLS ciphersuites can be used in more than one protocol version. Taking them as they occurred chronologically, all the ciphersuites defined in SSL 3 except the weird government ones (Fortezza) are still used in TLS 1.0, and those plus the new ones defined in/for 1.0 (mostly EC) but minus the deliberately weakened 'export' suites (which in 2006 had already been deprecated) are still used in 1.1, which doesn't define any new suites. 1.2 retains most of the suites from 1.1, minus single-DES which had been considered broken well before 2008, plus many new ones (using AEAD and/or SHA2).

As stated in the man page for SSL_CIPHER_description which is linked from that for ciphers:

<protocol version>
The minimum protocol version that the ciphersuite supports, such as TLSv1.2. Note that this is not always the same as the protocol version in which the ciphersuite was first defined because some ciphersuites are backwards compatible with earlier protocol versions.

Notice 'minimum'. DHE-RSA-AES256-SHA is usable in SSL3 TLS1.0 TLS1.1 and TLS1.2, so its minimum version is SSL3.

Using the older suites in 1.2 is not preferred or best practice, in particular because the new suites using AEAD (first GCM and CCM, then ChaCha/Poly) have better security properties at least in the absence of encrypt-then-mac (RFC7366) which wasn't published until 2014 and not widely implemented because AEAD was already there, but it is allowed and is supported by OpenSSL and the output of the ciphers command reflects this.

So yes, if you're going to require 1.2 you could also restrict ciphersuites to AEAD with very little reduction in compatibility (although there are some implementations, for example Java 7, that support 1.2 but only with older suites not new AEAD suites).