httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yann Ylavic <ylavic....@gmail.com>
Subject Re: H2 compatible ciphers (was: svn commit: r1708593)
Date Fri, 16 Oct 2015 11:38:27 GMT
On Fri, Oct 16, 2015 at 12:21 PM, Yann Ylavic <ylavic.dev@gmail.com> wrote:
>
> And maybe more importantly, what remains currently?

Actually I tried some brute bash script (attached) to show what
remains compared to "openssl ciphers ALL", and the result is:

* libressl/install/2.2.1/bin/openssl:
- ECDHE-ECDSA-CHACHA20-POLY1305
- ECDHE-RSA-CHACHA20-POLY1305
- DHE-RSA-CHACHA20-POLY1305
- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-ECDSA-AES256-GCM-SHA384
- DHE-DSS-AES256-GCM-SHA384
- DHE-RSA-AES256-GCM-SHA384
- GOST2012256-GOST89-GOST89
- GOST2001-GOST89-GOST89
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES128-GCM-SHA256
- DHE-DSS-AES128-GCM-SHA256
- DHE-RSA-AES128-GCM-SHA256
- EDH-RSA-DES-CBC3-SHA
- EDH-DSS-DES-CBC3-SHA
- EDH-RSA-DES-CBC-SHA
- EDH-DSS-DES-CBC-SHA

* openssl/install/1.0.2d/bin/openssl:
- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-ECDSA-AES256-GCM-SHA384
- DHE-DSS-AES256-GCM-SHA384
- DHE-RSA-AES256-GCM-SHA384
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES128-GCM-SHA256
- DHE-DSS-AES128-GCM-SHA256
- DHE-RSA-AES128-GCM-SHA256
- EDH-RSA-DES-CBC3-SHA
- EDH-DSS-DES-CBC3-SHA
- EDH-RSA-DES-CBC-SHA
- EDH-DSS-DES-CBC-SHA
- EXP-EDH-RSA-DES-CBC-SHA
- EXP-EDH-DSS-DES-CBC-SHA

Some 'TLSv1.2:!kRSA:!aECDH:!DH' is a bit too restrictive, and their
blacklist a bit broken anymay (I wouldn't recommend the latters :)
I'll try a better one, but it would be nice if the httpwg could
express their blacklist in terms of authentication/key-exchange
methods and block-ciphers/stream-ciphers instead of this "out of the
hat" list.

By the way the SSLCompatibility idea is great, was not my point, but
maybe this can give you some bits for httpwg mailing list...

Mime
View raw message