1

How can I find out the mode block cipher used in a PEM certificate I have? It's been generated with an intermediate CA that does sha256WithRSAEncryption but I need to find out if it's a GCM or CBC to properly configure some devices.

Anders
  • 64,406
  • 24
  • 178
  • 215
dquake
  • 11
  • 1

1 Answers1

2

Certificates only contain public keys for an asymmetric algorithm such as RSA or ECC. They do not contain symmetric keys, which is what operates using block ciphers in the various modes.

Symmetric keys are established during the SSL handshake, and are based on the list of ciphers presented by the server and negotiated with the client at the time the connection is made. The mode of operation is defined as part of each listed cipher.

To assert your clients can use CBC or GCM, you will need to go to your server’s configuration and ensure those algorithms are on the list of valid ciphers. You don’t have to worry about including extra ciphers because your clients will not negotiate to use an algorithm they don’t support.

(You may want to remove algorithms from the list for other reasons. You probably don’t want to support using weak algorithms or very short keys, for example.)

John Deters
  • 33,650
  • 3
  • 57
  • 110
  • Partial exception: if the algorithmidentifier for the key in the cert is RSASSA-PSS it can only be used with TLS1.3, and TLS1.3 supports only AEAD ciphers: yes to GCM CCM and ChaCha/Poly (which is a stream not block cipher), no to CBC. – dave_thompson_085 Jan 14 '20 at 01:41
  • @dave_thompson_085 if the clients 'require CBC', they almost certainly don't support ChaCha. Won't hurt to have it in the server's list, but the "properly configure some devices" means it probably won't apply to them. – John Deters Jan 14 '20 at 13:55