Mapping RFC names to OpenSSL

Question

Passing string didn't work

I want to get a cipher using EVP_get_cipherbyname, I have the following

• RFC name: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

which should map to this

• OpenSSL name: DHE-RSA-AES128-GCM-SHA256.

But when passing this string to the function, it can't find the cipher.

Passing integer didn't work

Using openssl -V I can see this is a supported cipher, and that it has a value 0x9e which is 158 in base 10, I have assumed that this would be the NID, and tried calling EVP_get_cipherbynid with 158, but alas doesn't work either although I don't think this is the NID anymore.

What works?

How do I get a mapping of the RFC names to names that OpenSSL will accept?

Answer 1

I believe the issue is that you're confusing cipher suites and ciphers.

EVP_get_cipherbyname() does not take the name of a cipher suite it takes the name of a cipher. The man page and general documentation for the OpenSSL API is pretty terrible. But searching for "EVP_get_cipherbyname" in this PDF yields 6 results. The very last reference is in a section talking about PEM encoded certificates. Now I know this isn't what you're doing, but it contains the following quote:

The line beginning DEK-Info contains two comma separated pieces of information: the encryption algorithm name as used by EVP_get_cipherbyname() and an 8 byte salt encoded as a set of hexadecimal digits.

The line they're referring to is: DEK-Info: DES-EDE3-CBC,3F17F5316E2BAC8

Which means that EVP_get_cipherbyname() really takes DES_3DE3-CBC as input, not a cipher suite. For your case I believe you're looking for AES-128-GCM to get the correct cipher.

---

NID simply stands for Numerical ID. This is a generic term for identifying a set list. Cipher suites do not have NIDs only the RFC assigned codes (thanks @dave_thompson_085). Which is why when you attempted to use the NID it still couldn't find the cipher.