问题
Passing string didn't work
I want to get a cipher using EVP_get_cipherbyname, I have the following
- RFC name:
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
which should map to this
- OpenSSL name:
DHE-RSA-AES128-GCM-SHA256.
But when passing this string to the function, it can't find the cipher.
Passing integer didn't work
Using openssl -V I can see this is a supported cipher, and that it has a value 0x9e which is 158 in base 10, I have assumed that this would be the NID, and tried calling EVP_get_cipherbynid with 158, but alas doesn't work either although I don't think this is the NID anymore.
What works?
How do I get a mapping of the RFC names to names that OpenSSL will accept?
回答1:
I believe the issue is that you're confusing cipher suites and ciphers.
EVP_get_cipherbyname() does not take the name of a cipher suite it takes the name of a cipher. The man page and general documentation for the OpenSSL API is pretty terrible. But searching for "EVP_get_cipherbyname" in this PDF yields 6 results. The very last reference is in a section talking about PEM encoded certificates. Now I know this isn't what you're doing, but it contains the following quote:
The line beginning DEK-Info contains two comma separated pieces of information: the encryption algorithm name as used by EVP_get_cipherbyname() and an 8 byte salt encoded as a set of hexadecimal digits.
The line they're referring to is: DEK-Info: DES-EDE3-CBC,3F17F5316E2BAC8
Which means that EVP_get_cipherbyname() really takes DES_3DE3-CBC as input, not a cipher suite. For your case I believe you're looking for AES-128-GCM to get the correct cipher.
NID simply stands for Numerical ID. This is a generic term for identifying a set list. Cipher suites do not have NIDs only the RFC assigned codes (thanks @dave_thompson_085). Which is why when you attempted to use the NID it still couldn't find the cipher.
回答2:
I can't tell you how to get a cipher suite by IANA cipher suite hexcode. But maybe this answer can still help a bit.
Use table manually.
Lazy answer: Use the handy TestSSL.sh table (Archived here.)
[0x9e], DHE-RSA-AES128-GCM-SHA256, DH, AESGCM, 128, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
Or use the official OpenSSL name mapping table (which sadly lacks hexcodes).
NID is different.
There are two types of NIDs many, many types of NID (EDIT. See Dave's comment below for details.) such as these:
- (Bulk) Cipher NID
- Digest NID
As far as I can tell, they were introduced in April 2015.
In contrast, the official hexcodes in the TLS Cipher Suite Registry are for COMBINATIONS of crypto-building-blocks (bulk-cipher, digest, key-exchange, authentication, etc.) And not for the individual building blocks.
来源:https://stackoverflow.com/questions/32483878/mapping-rfc-names-to-openssl