cipher name confusion EDH #987
Description
All openssl versions up to 1.0.2 name the following ciphers EDH* instead of DHE* or EXP-EDH* instead of EXP-DHE*:
prompt% openssl ciphers -V ALL:COMPLEMENTOFALL | grep -E 'EDH' | sort | sed 's/^ *//'
0x00,0x11 - EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export
0x00,0x12 - EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1
0x00,0x13 - EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
0x00,0x14 - EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export
0x00,0x15 - EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1
0x00,0x16 - EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
OpenSSL 1.1.0dev and later:
./openssl64-1.1.0dev ciphers -V ALL:COMPLEMENTOFALL | grep -E '0x00,0x1[1-6]' | sort | sed 's/^ *//'
0x00,0x11 - EXP-DHE-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export
0x00,0x12 - DHE-DSS-DES-CBC-SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1
0x00,0x13 - DHE-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
0x00,0x14 - EXP-DHE-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export
0x00,0x15 - DHE-RSA-DES-CBC-SHA SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1
0x00,0x16 - DHE-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
There are two consequences:
- for checks with fixed cipher suites we might want to add the DHE counterpart otherwise we would miss this one if a newer openssl version is used
- check whether we can (with limited effort) normalize the output to DHE*