The official ssl docs list ciphers in a different format than curl takes. For instance, if I want curl to use the cipher TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, I have to pass it curl --ciphers ecdhe_rsa_3des_sha
. I know what some of the mappings are, but not all of them – for instance, what do I have to pass to curl to get it to use cipher TLS_DHE_RSA_WITH_AES_128_GCM_SHA256?
Is there anywhere I can find a document showing how the cipher names in the ssl docs map to the cipher names that curl accepts?
Edit: I eventually have discovered that my curl is backed by NSS, not OpenSSL, and the problem is specifically because there is no good documentation on using NSS-backed curl, while it requires a different argument than OpenSSL does to use the same cipher. So my question is specific to NSS.
Best Answer
There is no documentation covering all of the conversions between the name of the cipher, and the name that curl is expecting as an argument.
Luckily, curl is open source, and the mapping is available in the source code.
For the benefit of future searchers, I reproduce it more neatly here:
SSL2 cipher suites
SSL3/TLS cipher suites
TLS 1.0: Exportable 56-bit Cipher Suites.
AES ciphers.
ECC ciphers.
new HMAC-SHA256 cipher suites specified in RFC
AES GCM cipher suites in RFC 5288 and RFC 5289
So if you want to use the cipher
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
, the command would be:In order to specify multiple ciphers, separate the list with commas. So if you want to use the cipher
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
as well, the command would be:To view a list of the ciphers that curl is using, you will need an external service - like this:
Although NB, that service does not accept all ciphers, which means if you are restricting connection to only one cipher which is not in use, you will get an error "Cannot communicate securely with peer: no common encryption algorithm" instead of a response.