The wikis are now using the new authentication system.
If you did not migrate your account yet, visit https://idp-portal-info.suse.com/

ARTIGOS:Problema de conexão usando o protocolo TLS

Ir para: navegação, pesquisa

Descrição do problema

O protocolo Transport Layer Security, mais conhecido como TLS, foi projetado para permitir que cliente e servidor se comuniquem de forma segura utilizando um canal inseguro. O TLS utiliza o Handshake Protocol para negociar os atributos de segurança da sessão. Durante esse processo, o cliente informa as cifras que ele tem disponível (também conhecido como cipher ou cypher) e o servidor escolhe uma delas para ser utilizada como algoritmo de criptografia daquela sessão. Essa escolha é baseada nas cifras configuradas no servidor. No apache, a diretiva SSLCipherSuite é utilizada para realizar essa configuração.

NOTA: O objetivo deste artigo está na transferência de conhecimento sobre problemas que ocorrem no uso do TLS. O uso indevido do conteúdo deste artigo fica sobre a responsabilidade do leitor, isentando o autor de qualquer problema ou danos causados.

Mas, o que acontece se a configuração do servidor não possuir nenhuma das cifras informadas pelo cliente?

Um erro de conexão será retornado e o cliente não conseguirá estabelecer uma comunicação segura com o servidor.

O comando a seguir demonstra o erro com a falha durante o processo de conexão:

opensuse-test:~ # openssl s_client -connect www.opensuse.org:443 -cipher ECDH-ECDSA-RC4-SHA -tls1_2
CONNECTED(00000003)
140025368012432:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:617:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol  : TLSv1.2
Cipher  : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg  : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1484671268
Timeout  : 7200 (sec)
Verify return code: 0 (ok)
---
opensuse-test:~ #

Então, como descobrir pelo lado do cliente, quais são as cifras disponíveis no servidor?

A seguir, vamos preparar um ambiente usando o opensuse para descobrir alguns detalhes da configuração do servidor.

Preparando o ambiente

Os pacotes nmap e openssl são necessários para realizar esse teste. Os comandos a seguir deverão ser executados pelo usuário root.

Para verificar se o nmap está instalado:

opensuse-test:~ # zypper se openssl | grep "i | o"
i | openssl | Secure Sockets and Transport Layer Security | package

Para verificar se o openssl está instalado:

opensuse-test:~ # zypper se nmap | grep "i | n"
i | nmap | Portscanner | package

Caso não esteja instalado:

opensuse-test:~ # zypper ref
Repository 'openSUSE-13.2-Non-Oss' is up to date.
Repository 'openSUSE-13.2-Oss' is up to date.
Retrieving repository 'openSUSE-13.2-Update' metadata ......................................................................................................[done]
Building repository 'openSUSE-13.2-Update' cache ...........................................................................................................[done]
Retrieving repository 'openSUSE-13.2-Update-Non-Oss' metadata ..............................................................................................[done]
Building repository 'openSUSE-13.2-Update-Non-Oss' cache ...................................................................................................[done]
All repositories have been refreshed.
opensuse-test:~ #
opensuse-test:~ # zypper in nmap
Loading repository data...
Reading installed packages...
Resolving package dependencies...

The following 3 NEW packages are going to be installed:
liblua5_2 libpcap1 nmap

3 new packages to install.
Overall download size: 3.9 MiB. Already cached: 0 B After the operation, additional 17.2 MiB will be used.
Continue? [y/n/? shows all options] (y):
Retrieving package liblua5_2-5.2.3-2.2.1.x86_64 (1/3), 85.8 KiB (203.7 KiB unpacked)
Retrieving: liblua5_2-5.2.3-2.2.1.x86_64.rpm ...............................................................................................................[done]
Retrieving package libpcap1-1.6.2-1.2.x86_64 (2/3), 139.4 KiB (341.3 KiB unpacked)
Retrieving: libpcap1-1.6.2-1.2.x86_64.rpm ..................................................................................................................[done]
Retrieving package nmap-6.47-2.1.10.x86_64 (3/3), 3.6 MiB ( 16.7 MiB unpacked)
Retrieving: nmap-6.47-2.1.10.x86_64.rpm .......................................................................................................[done (91.3 KiB/s)]
Checking for file conflicts: ...............................................................................................................................[done]
(1/3) Installing: liblua5_2-5.2.3-2.2.1 ....................................................................................................................[done]
(2/3) Installing: libpcap1-1.6.2-1.2 .......................................................................................................................[done]
(3/3) Installing: nmap-6.47-2.1.10 .........................................................................................................................[done]
opensuse-test:~ #

Repetir o mesmo processo para o pacote openssl, usando o comando:

opensuse-test:~ # zypper in openssl


Iniciando os testes

Descobrindo alguns detalhes sobre a configuração do servidor usando o comando nmap:

opensuse-test:~ # nmap --script ssl-enum-ciphers.nse www.opensuse.org

Starting Nmap 6.47 ( http://nmap.org ) at 2017-01-17 11:48 BRST
Nmap scan report for www.opensuse.org (130.57.66.6)
Host is up (0.23s latency).
rDNS record for 130.57.66.6: forums.opensuse.org
Not shown: 998 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| compressors:
| NULL
| TLSv1.2:
| ciphers:
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
| compressors:
| NULL
|_ least strength: strong

Nmap done: 1 IP address (1 host up) scanned in 25.08 seconds
opensuse-test:~ #

Vamos aos detalhes sobre o endereço www.opensuse.org:

O Servidor está configurado para aceitar conexões nas portas 80 http e 443 https. A porta 443 está configurada para o protocolo TLS nas versões 1.0 e 1.2. Note que não são aceitos os protocolos SSLv2, SSLv3 e TLSv1.1. O TLS 1.0 aceita as cifras TLS_RSA_WITH_AES_128_CBC_SHA e TLS_RSA_WITH_AES_256_CBC_SHA e o TLS 1.2 aceita TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA e TLS_RSA_WITH_AES_256_CBC_SHA256.

Resumindo:

Portas abertas: 80 http e 443 https
Porta 443:
Aceita conexões usando o protocolo TLS nas versões 1.0 e 1.2
Para o TLS 1.0, são aceitas as cifras:
Cipher suites names OpenSSL equivalents
TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA
TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA
Para o TLS 1.2
Cipher suites names OpenSSL equivalents
TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA
TLS_RSA_WITH_AES_128_CBC_SHA256 AES128-SHA256
TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA
TLS_RSA_WITH_AES_256_CBC_SHA256 AES256-SHA256


Para descobrir o nome equivalente das cifras para o OpenSSL, consulte o endereço https://www.openssl.org/docs/man1.0.2/apps/ciphers.html, na parte CIPHER SUITE NAMES

Listando as cifras locais que podem ser utilizadas com o comando openssl:

Para listar todas as cifras:

opensuse-test:~ # openssl ciphers
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:SRP-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA

Para verficar se a cifra AES256-SHA256 está disponível localmente:

opensuse-test:~ # openssl ciphers | grep --color=always AES256-SHA256
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:SRP-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA

O nome AES256-SHA256 ficará destacado em vermelho. Verifique se é a cifra correta.

Para pesquisar mais de uma cifra:

opensuse-test:~ # openssl ciphers | grep --color=always -e AES128-SHA256 -e AES256-SHA256
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:SRP-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA

Nesse momento, já sabemos quais cifras estão configuradas no servidor e quais cifras estão disponíveis no cliente.

Testando a comunicação com o servidor

Tentando conectar no endereço www.opensuse.org usando a cifra AES128-SHA e o protocolo TLS na versão 1.0

opensuse-test:~ # openssl s_client -connect www.opensuse.org:443 -cipher AES128-SHA -tls1
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
verify return:1
depth=0 C = US, L = Provo, ST = Utah, O = "Novell, Inc.", CN = *.opensuse.org
verify return:1
---
Certificate chain
0 s:/C=US/L=Provo/ST=Utah/O=Novell, Inc./CN=*.opensuse.org
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFQzCCBCugAwIBAgIQDWJqtx4/GFYfXkW0IAS1dTANBgkqhkiG9w0BAQsFADBw
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNz
dXJhbmNlIFNlcnZlciBDQTAeFw0xNTAyMTcwMDAwMDBaFw0xODA0MjMxMjAwMDBa
MFwxCzAJBgNVBAYTAlVTMQ4wDAYDVQQHEwVQcm92bzENMAsGA1UECBMEVXRhaDEV
MBMGA1UEChMMTm92ZWxsLCBJbmMuMRcwFQYDVQQDDA4qLm9wZW5zdXNlLm9yZzCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM07oOJm4XLz3IrTq3W5rUgv
RYGLiZ/xjzG9Vw5fm8eZdH10UAMf9gbGB6dHUOqx56A34yodVeTMHYsMHBW+uqLk
TZk8sJSsHYeSxxq0nkiqyFKoVWCYs5u99B3mKM82BBpKDiQZPdKTq5vpfHgQWne+
CdpH6aqIhGRgAz/My9IVIS4Bm6vW/umCeyzZxO5TytZBZi+l8dM50iEBmsg8+B1g
rRJvm1haF8G8JNnKf/KTGTEA30erQ3Zbxf7VwaQUBXqxSuW25aim0FwTRoX41g3i
FQVibB2kiz5D+brPXzVzqJCXLtMLeyJZFPnFhzSgoeo/YdhlH3p1J5VRi+cGUVcC
AwEAAaOCAeswggHnMB8GA1UdIwQYMBaAFFFo/5CvAgd1PMzZZWRiohK4WXI7MB0G
A1UdDgQWBBT5haE+0409kBfZi6Hq8xwd9nWDvDAnBgNVHREEIDAegg4qLm9wZW5z
dXNlLm9yZ4IMb3BlbnN1c2Uub3JnMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAU
BggrBgEFBQcDAQYIKwYBBQUHAwIwdQYDVR0fBG4wbDA0oDKgMIYuaHR0cDovL2Ny
bDMuZGlnaWNlcnQuY29tL3NoYTItaGEtc2VydmVyLWczLmNybDA0oDKgMIYuaHR0
cDovL2NybDQuZGlnaWNlcnQuY29tL3NoYTItaGEtc2VydmVyLWczLmNybDBCBgNV
HSAEOzA5MDcGCWCGSAGG/WwBATAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5k
aWdpY2VydC5jb20vQ1BTMIGDBggrBgEFBQcBAQR3MHUwJAYIKwYBBQUHMAGGGGh0
dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBNBggrBgEFBQcwAoZBaHR0cDovL2NhY2Vy
dHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkhpZ2hBc3N1cmFuY2VTZXJ2ZXJD
QS5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAQEAF+txhotR6kMJ
c/gRDAVCcc0Zj5cw5cuGeg7g3vG5Je45upbTfKQ/n2uU2AR0VIsap0Q8Zmo0/i/K
YVaq43HCdjB6mXz4KKl8IRbFT1WN5sI+HpXpAaWJ53KF3EkQj9w0NIR5QPvFWG8X
5zmg/SbyLdEuSQqtbOIm9KPwEAXo7+LDbiFAxMgbtAuKRUOuCWyRF/zeBjJSKX4E
NUB9stQUT+27GNZZNlyFTtmHQJUoIOy/hflAUQIGoXJdC2cWbVgl/ih5pjhwdVGi
BCv1oMDduoSF/wqtII/TTosjCK3YVZv1H3exAmtboMCZ1PAIOrMtQZZZrBoudiII
bpWKe/in7g==
-----END CERTIFICATE-----
subject=/C=US/L=Provo/ST=Utah/O=Novell, Inc./CN=*.opensuse.org
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
---
No client certificate CA names sent
---
SSL handshake has read 2728 bytes and written 389 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol  : TLSv1
Cipher  : AES128-SHA
Session-ID: 31C1E84263C7638C9362F628AFE013B2F86497FCF50D5F35643A45F55F0EB66F
Session-ID-ctx:
Master-Key: 60B62D0A0F55066B2F51388C55E19DE8A79F1274446B1102A41CF8E88CE6F9CAD2D394C43B7ED762028D963C603F1DC6
Key-Arg  : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1484660970
Timeout  : 7200 (sec)
Verify return code: 0 (ok)
---
DONE
opensuse-test:~ #

A conexão foi estabelecida usando o Protocolo TLS versão 1.0 e a cifra AES128-SHA, conforme descrito a seguir:

(...)
SSL-Session:
Protocol  : TLSv1
Cipher  : AES128-SHA
(...)


Tentando conectar no endereço www.opensuse.org usando a cifra AES128-SHA e o protocolo TLS na versão 1.1

opensuse-test:~ # openssl s_client -connect www.opensuse.org:443 -cipher AES128-SHA -tls1_1
CONNECTED(00000003)
139991026812560:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:347:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol  : TLSv1.1
Cipher  : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg  : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1484672789
Timeout  : 7200 (sec)
Verify return code: 0 (ok)
---
opensuse-test:~ #

O cliente não conseguiu se comunicar com o servidor usando a versão 1.1 do protocolo TLS. Se verificarmos a configuração do servidor, podemos notar que ele está configurado somente para as versões 1.0 e 1.2.

Tentando conectar no endereço www.opensuse.org usando a cifra AES128-SHA e o protocolo TLS na versão 1.2

opensuse-test:~ # openssl s_client -connect www.opensuse.org:443 -cipher AES128-SHA -tls1_2
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
verify return:1
depth=0 C = US, L = Provo, ST = Utah, O = "Novell, Inc.", CN = *.opensuse.org
verify return:1
---
Certificate chain
0 s:/C=US/L=Provo/ST=Utah/O=Novell, Inc./CN=*.opensuse.org
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFQzCCBCugAwIBAgIQDWJqtx4/GFYfXkW0IAS1dTANBgkqhkiG9w0BAQsFADBw
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNz
dXJhbmNlIFNlcnZlciBDQTAeFw0xNTAyMTcwMDAwMDBaFw0xODA0MjMxMjAwMDBa
MFwxCzAJBgNVBAYTAlVTMQ4wDAYDVQQHEwVQcm92bzENMAsGA1UECBMEVXRhaDEV
MBMGA1UEChMMTm92ZWxsLCBJbmMuMRcwFQYDVQQDDA4qLm9wZW5zdXNlLm9yZzCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM07oOJm4XLz3IrTq3W5rUgv
RYGLiZ/xjzG9Vw5fm8eZdH10UAMf9gbGB6dHUOqx56A34yodVeTMHYsMHBW+uqLk
TZk8sJSsHYeSxxq0nkiqyFKoVWCYs5u99B3mKM82BBpKDiQZPdKTq5vpfHgQWne+
CdpH6aqIhGRgAz/My9IVIS4Bm6vW/umCeyzZxO5TytZBZi+l8dM50iEBmsg8+B1g
rRJvm1haF8G8JNnKf/KTGTEA30erQ3Zbxf7VwaQUBXqxSuW25aim0FwTRoX41g3i
FQVibB2kiz5D+brPXzVzqJCXLtMLeyJZFPnFhzSgoeo/YdhlH3p1J5VRi+cGUVcC
AwEAAaOCAeswggHnMB8GA1UdIwQYMBaAFFFo/5CvAgd1PMzZZWRiohK4WXI7MB0G
A1UdDgQWBBT5haE+0409kBfZi6Hq8xwd9nWDvDAnBgNVHREEIDAegg4qLm9wZW5z
dXNlLm9yZ4IMb3BlbnN1c2Uub3JnMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAU
BggrBgEFBQcDAQYIKwYBBQUHAwIwdQYDVR0fBG4wbDA0oDKgMIYuaHR0cDovL2Ny
bDMuZGlnaWNlcnQuY29tL3NoYTItaGEtc2VydmVyLWczLmNybDA0oDKgMIYuaHR0
cDovL2NybDQuZGlnaWNlcnQuY29tL3NoYTItaGEtc2VydmVyLWczLmNybDBCBgNV
HSAEOzA5MDcGCWCGSAGG/WwBATAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5k
aWdpY2VydC5jb20vQ1BTMIGDBggrBgEFBQcBAQR3MHUwJAYIKwYBBQUHMAGGGGh0
dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBNBggrBgEFBQcwAoZBaHR0cDovL2NhY2Vy
dHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkhpZ2hBc3N1cmFuY2VTZXJ2ZXJD
QS5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAQEAF+txhotR6kMJ
c/gRDAVCcc0Zj5cw5cuGeg7g3vG5Je45upbTfKQ/n2uU2AR0VIsap0Q8Zmo0/i/K
YVaq43HCdjB6mXz4KKl8IRbFT1WN5sI+HpXpAaWJ53KF3EkQj9w0NIR5QPvFWG8X
5zmg/SbyLdEuSQqtbOIm9KPwEAXo7+LDbiFAxMgbtAuKRUOuCWyRF/zeBjJSKX4E
NUB9stQUT+27GNZZNlyFTtmHQJUoIOy/hflAUQIGoXJdC2cWbVgl/ih5pjhwdVGi
BCv1oMDduoSF/wqtII/TTosjCK3YVZv1H3exAmtboMCZ1PAIOrMtQZZZrBoudiII
bpWKe/in7g==
-----END CERTIFICATE-----
subject=/C=US/L=Provo/ST=Utah/O=Novell, Inc./CN=*.opensuse.org
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
---
No client certificate CA names sent
---
SSL handshake has read 2744 bytes and written 441 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol  : TLSv1.2
Cipher  : AES128-SHA
Session-ID: 855AA2F38EA614C2D5ED99E9989BAF615648694CA839254AE7B6C7E3D4E8BA41
Session-ID-ctx:
Master-Key: F38021CC85B77237CE9D5AD5D9A3C66CEDAFA3F18B6E8912B7A6EEB3E2907987786BE00BA7AF5EACA3690447DC846F9E
Key-Arg  : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1484661010
Timeout  : 7200 (sec)
Verify return code: 0 (ok)
---
DONE
opensuse-test:~ #

A conexão foi estabelecida usando o Protocolo TLS versão 1.2 e a cifra AES128-SHA, conforme descrito a seguir:

(...)
SSL-Session:
Protocol  : TLSv1.2
Cipher  : AES128-SHA
(...)


Um outro teste interessante seria tentar usar a cifra AES256-SHA256 que está configurada somente para o TLS 1.2

Tentando conectar no endereço www.opensuse.org usando a cifra AES256-SHA256 e o protocolo TLS na versão 1.0

opensuse-test:~ # openssl s_client -connect www.opensuse.org:443 -cipher AES256-SHA256 -tls1
CONNECTED(00000003)
140439429707408:error:140830B5:SSL routines:SSL3_CLIENT_HELLO:no ciphers available:s3_clnt.c:736:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol  : TLSv1
Cipher  : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg  : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1484661045
Timeout  : 7200 (sec)
Verify return code: 0 (ok)
---
opensuse-test:~ #

Tentando conectar no endereço www.opensuse.org usando a cifra AES256-SHA256 e o protocolo TLS na versão 1.1

opensuse-test:~ # openssl s_client -connect www.opensuse.org:443 -cipher AES256-SHA256 -tls1_1
CONNECTED(00000003)
140420989695632:error:140830B5:SSL routines:SSL3_CLIENT_HELLO:no ciphers available:s3_clnt.c:736:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol  : TLSv1.1
Cipher  : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg  : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1484661104
Timeout  : 7200 (sec)
Verify return code: 0 (ok)
---
opensuse-test:~ #

Tentando conectar no endereço www.opensuse.org usando a cifra AES256-SHA256 e o protocolo TLS na versão 1.2

opensuse-test:~ # openssl s_client -connect www.opensuse.org:443 -cipher AES256-SHA256 -tls1_2
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
verify return:1
depth=0 C = US, L = Provo, ST = Utah, O = "Novell, Inc.", CN = *.opensuse.org
verify return:1
---
Certificate chain
0 s:/C=US/L=Provo/ST=Utah/O=Novell, Inc./CN=*.opensuse.org
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFQzCCBCugAwIBAgIQDWJqtx4/GFYfXkW0IAS1dTANBgkqhkiG9w0BAQsFADBw
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNz
dXJhbmNlIFNlcnZlciBDQTAeFw0xNTAyMTcwMDAwMDBaFw0xODA0MjMxMjAwMDBa
MFwxCzAJBgNVBAYTAlVTMQ4wDAYDVQQHEwVQcm92bzENMAsGA1UECBMEVXRhaDEV
MBMGA1UEChMMTm92ZWxsLCBJbmMuMRcwFQYDVQQDDA4qLm9wZW5zdXNlLm9yZzCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM07oOJm4XLz3IrTq3W5rUgv
RYGLiZ/xjzG9Vw5fm8eZdH10UAMf9gbGB6dHUOqx56A34yodVeTMHYsMHBW+uqLk
TZk8sJSsHYeSxxq0nkiqyFKoVWCYs5u99B3mKM82BBpKDiQZPdKTq5vpfHgQWne+
CdpH6aqIhGRgAz/My9IVIS4Bm6vW/umCeyzZxO5TytZBZi+l8dM50iEBmsg8+B1g
rRJvm1haF8G8JNnKf/KTGTEA30erQ3Zbxf7VwaQUBXqxSuW25aim0FwTRoX41g3i
FQVibB2kiz5D+brPXzVzqJCXLtMLeyJZFPnFhzSgoeo/YdhlH3p1J5VRi+cGUVcC
AwEAAaOCAeswggHnMB8GA1UdIwQYMBaAFFFo/5CvAgd1PMzZZWRiohK4WXI7MB0G
A1UdDgQWBBT5haE+0409kBfZi6Hq8xwd9nWDvDAnBgNVHREEIDAegg4qLm9wZW5z
dXNlLm9yZ4IMb3BlbnN1c2Uub3JnMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAU
BggrBgEFBQcDAQYIKwYBBQUHAwIwdQYDVR0fBG4wbDA0oDKgMIYuaHR0cDovL2Ny
bDMuZGlnaWNlcnQuY29tL3NoYTItaGEtc2VydmVyLWczLmNybDA0oDKgMIYuaHR0
cDovL2NybDQuZGlnaWNlcnQuY29tL3NoYTItaGEtc2VydmVyLWczLmNybDBCBgNV
HSAEOzA5MDcGCWCGSAGG/WwBATAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5k
aWdpY2VydC5jb20vQ1BTMIGDBggrBgEFBQcBAQR3MHUwJAYIKwYBBQUHMAGGGGh0
dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBNBggrBgEFBQcwAoZBaHR0cDovL2NhY2Vy
dHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkhpZ2hBc3N1cmFuY2VTZXJ2ZXJD
QS5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAQEAF+txhotR6kMJ
c/gRDAVCcc0Zj5cw5cuGeg7g3vG5Je45upbTfKQ/n2uU2AR0VIsap0Q8Zmo0/i/K
YVaq43HCdjB6mXz4KKl8IRbFT1WN5sI+HpXpAaWJ53KF3EkQj9w0NIR5QPvFWG8X
5zmg/SbyLdEuSQqtbOIm9KPwEAXo7+LDbiFAxMgbtAuKRUOuCWyRF/zeBjJSKX4E
NUB9stQUT+27GNZZNlyFTtmHQJUoIOy/hflAUQIGoXJdC2cWbVgl/ih5pjhwdVGi
BCv1oMDduoSF/wqtII/TTosjCK3YVZv1H3exAmtboMCZ1PAIOrMtQZZZrBoudiII
bpWKe/in7g==
-----END CERTIFICATE-----
subject=/C=US/L=Provo/ST=Utah/O=Novell, Inc./CN=*.opensuse.org
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
---
No client certificate CA names sent
---
SSL handshake has read 2760 bytes and written 457 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol  : TLSv1.2
Cipher  : AES256-SHA256
Session-ID: 059DDF42A7BED2A53E527B2ACA5D877A8A1318AD4D0B2554189C9B065BDB9EF3
Session-ID-ctx:
Master-Key: 61D67E70899F4213B28A3FD3AA6714549EBA97F4633753A3769CEE9627D9637891CEA8962795361444DBBC9E8E734551
Key-Arg  : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1484661074
Timeout  : 7200 (sec)
Verify return code: 0 (ok)
---
DONE
opensuse-test:~ #

Tentando conectar no endereço www.opensuse.org usando as cifras AES128-SHA:AES256-SHA256 e o protocolo TLS na versão 1.2

opensuse-test:~ # openssl s_client -connect www.opensuse.org:443 -cipher AES128-SHA:AES256-SHA256 -tls1_2
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
verify return:1
depth=0 C = US, L = Provo, ST = Utah, O = "Novell, Inc.", CN = *.opensuse.org
verify return:1
---
Certificate chain
0 s:/C=US/L=Provo/ST=Utah/O=Novell, Inc./CN=*.opensuse.org
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFQzCCBCugAwIBAgIQDWJqtx4/GFYfXkW0IAS1dTANBgkqhkiG9w0BAQsFADBw
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNz
dXJhbmNlIFNlcnZlciBDQTAeFw0xNTAyMTcwMDAwMDBaFw0xODA0MjMxMjAwMDBa
MFwxCzAJBgNVBAYTAlVTMQ4wDAYDVQQHEwVQcm92bzENMAsGA1UECBMEVXRhaDEV
MBMGA1UEChMMTm92ZWxsLCBJbmMuMRcwFQYDVQQDDA4qLm9wZW5zdXNlLm9yZzCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM07oOJm4XLz3IrTq3W5rUgv
RYGLiZ/xjzG9Vw5fm8eZdH10UAMf9gbGB6dHUOqx56A34yodVeTMHYsMHBW+uqLk
TZk8sJSsHYeSxxq0nkiqyFKoVWCYs5u99B3mKM82BBpKDiQZPdKTq5vpfHgQWne+
CdpH6aqIhGRgAz/My9IVIS4Bm6vW/umCeyzZxO5TytZBZi+l8dM50iEBmsg8+B1g
rRJvm1haF8G8JNnKf/KTGTEA30erQ3Zbxf7VwaQUBXqxSuW25aim0FwTRoX41g3i
FQVibB2kiz5D+brPXzVzqJCXLtMLeyJZFPnFhzSgoeo/YdhlH3p1J5VRi+cGUVcC
AwEAAaOCAeswggHnMB8GA1UdIwQYMBaAFFFo/5CvAgd1PMzZZWRiohK4WXI7MB0G
A1UdDgQWBBT5haE+0409kBfZi6Hq8xwd9nWDvDAnBgNVHREEIDAegg4qLm9wZW5z
dXNlLm9yZ4IMb3BlbnN1c2Uub3JnMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAU
BggrBgEFBQcDAQYIKwYBBQUHAwIwdQYDVR0fBG4wbDA0oDKgMIYuaHR0cDovL2Ny
bDMuZGlnaWNlcnQuY29tL3NoYTItaGEtc2VydmVyLWczLmNybDA0oDKgMIYuaHR0
cDovL2NybDQuZGlnaWNlcnQuY29tL3NoYTItaGEtc2VydmVyLWczLmNybDBCBgNV
HSAEOzA5MDcGCWCGSAGG/WwBATAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5k
aWdpY2VydC5jb20vQ1BTMIGDBggrBgEFBQcBAQR3MHUwJAYIKwYBBQUHMAGGGGh0
dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBNBggrBgEFBQcwAoZBaHR0cDovL2NhY2Vy
dHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkhpZ2hBc3N1cmFuY2VTZXJ2ZXJD
QS5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAQEAF+txhotR6kMJ
c/gRDAVCcc0Zj5cw5cuGeg7g3vG5Je45upbTfKQ/n2uU2AR0VIsap0Q8Zmo0/i/K
YVaq43HCdjB6mXz4KKl8IRbFT1WN5sI+HpXpAaWJ53KF3EkQj9w0NIR5QPvFWG8X
5zmg/SbyLdEuSQqtbOIm9KPwEAXo7+LDbiFAxMgbtAuKRUOuCWyRF/zeBjJSKX4E
NUB9stQUT+27GNZZNlyFTtmHQJUoIOy/hflAUQIGoXJdC2cWbVgl/ih5pjhwdVGi
BCv1oMDduoSF/wqtII/TTosjCK3YVZv1H3exAmtboMCZ1PAIOrMtQZZZrBoudiII
bpWKe/in7g==
-----END CERTIFICATE-----
subject=/C=US/L=Provo/ST=Utah/O=Novell, Inc./CN=*.opensuse.org
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
---
No client certificate CA names sent
---
SSL handshake has read 2760 bytes and written 459 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol  : TLSv1.2
Cipher  : AES256-SHA256
Session-ID: 36192646067A121B05B7381ED62A4C7C3485B543F413DEFAA02ABBB773CE3631
Session-ID-ctx:
Master-Key: C45C50DC8DC8C4509FBED25554139C1C0196ACFA73395C77B8ED3AFCA6026807D1AA8E5F72F1CE1DEEA2E62BAE716E01
Key-Arg  : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1484667634
Timeout  : 7200 (sec)
Verify return code: 0 (ok)
---
DONE
opensuse-test:~ #

Nesse exemplo, o cliente informou ao servidor que possui as cifras AES128-SHA:AES256-SHA256 e de acordo com a configuração do servidor, ele escolheu usar a cifra AES256-SHA256. A ordem das cifras passadas pelo cliente no comando openssl não interfere na decisão do servidor sobre qual cifra utilizar.

Referências

OpenSSL cryptography and SSL/TLS Tollkit. Disponível em: https://www.openssl.org. Acesso em: 02 Jan. 2017.
Apache Module mod_ssl. Disponível em: https://httpd.apache.org/docs/current/mod/mod_ssl.html. Acesso em: 03 Jan. 2017.
OpenSSL ciphers - SSL cipher display and cipher list tool. Disponível em: https://www.openssl.org/docs/man1.0.2/apps/ciphers.html. Acesso em: 05 Jan. 2017
The Transport Layer Security (TLS) Protocol Version 1.2. Disponível em: https://tools.ietf.org/html/rfc5246. Acesso em: 10 Jan. 2017.
Cipher From Wikipedia, the free encyclopedia. Disponível em: https://en.wikipedia.org/wiki/Cipher. Acesso em: 18 Jan. 2017.


Autor: Fernando Galves (galves.fernando@gmail.com)
Publicado em 18 de Janeiro de 2017