How can I use different encryption algorithms in OpenSSL for X.509 certificates?
I've been generating certificates for internal use at a company that may end up becoming more widespread as time progresses (rather than just on a single internal website). I've noticed that, when using OpenSSL, the certificates being generated show as using AES_256_CBC in Chrome, as shown below.
I've been wondering, is it possible to use other encryption algorithms with OpenSSL? I've seen certificates for other websites showing up as using algorithms such as RC4_128, and CAMELLIA_256_CBC.
If it helps, I have two versions of OpenSSL installed; 0.9.8l and 1.0.1c, and I'm using Windows 7. These certificates are also chained; one root certificate, one intermediate certificate, and then the certificate used for the website.
Thanks for your time.
Short answer
Yes, you can use other encryption algorithms but X.509 certificates play a very small role in that.
In order to do that without modifying the client you must configure your server to favour some cipher suites over the others (e.g. for Apache have a look at the SSLCipherSuite configuration).
If you can modify the client but not the server, you must reorder the cipher suites your client offers during the handshake. The ones with your preferred algorithm should come first. Alternatively, you can remove the ones with encryption algorithms that you don't like (even though that means that connections may fail because of that).
Long answer
The encryption algorithm used on a SSL/TLS connection is negotiated during the handshake. The client sends to the server the cipher suites it supports, ordered according to its preference. The server picks the one it likes most.
A cipher suite (e.g. TLS_RSA_WITH_AES_128_CBC_SHA) is a tuple that indicates which algorithms must be used for:
- Authentication
- Key exchange
- Bulk encryption
- Cryptographic digest
The content of the server X.509 certificate plays a small role in this process in that it limits how authentication and key exchange will be done. If the server certificate contains an RSA key, the cipher suite cannot be any of the ones starting with TLS_DH_DSS_*.
Theoretically, the server X.509 certificate is independent from the bulk encryption algorithm. However, since not all possible combinations are covered (or offered by the client), the type of key in the server cetificate may rule out some ciphers.
- What is the complexity of the sorted() function?
- Implementation for a Monotonic Increasing Queue
- Java, Shifting Elements in an Array
- Differences between backtracking and brute-force search
- Number of partition of `n` into sum of three squares (fast algorithm)
- Big Number Subtraction in C
- If the n-body problem is chaotic, why isn't it used as a RNG?
- Using BFS for Weighted Graphs
- Removing a node in an undirected graph that destroys a path between two other nodes
- Binary search function is correct but it returns undefined
- Algorithm to reverse an array/string only in terms of rotate operations
- Correctness of Deletion algorithm of BST in CLRS
- Time Complexities n(log(n)) and log(n^n)
- How do I find the closest possible sum of an array's elements to a particular value?
- Split on regex (more than a character, maybe variable width) and keep the separator like GNU awk
- Find the minimum number of edits to balance parentheses?
- How to improve pandas DF processing time on different combinations of calculated data
- Efficiently calculate an availability date from a list of project assignments and known capacity
- Optimized algorithm to schedule tasks with dependency?
- Difference between back tracking and dynamic programming
- Javascript data structures library
- Segmentation error when implementing the Hoare quick sort method
- Which of these implementations is canonical: storing the head and size variables, or storing the head, tail, and size?
- Visualization of calendar events. Algorithm to layout events with maximum width
- Tracing edges of pixels in a mask
- Longest Subarray with Maximum Bitwise AND
- Assigning codes to nodes such that codes are unique and create two groups which share common properties
- Randomly Split a Graph into Mini Graphs
- Recursion relation and overlapping sub problems
- Calculating the 90th percentile in O(n) time