httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yann Ylavic <ylavic....@gmail.com>
Subject Re: Requesting review for SSL how-to changes (r1757280)
Date Thu, 25 Aug 2016 22:37:58 GMT
On Thu, Aug 25, 2016 at 11:37 PM, Yann Ylavic <ylavic.dev@gmail.com> wrote:
>>>
>>> Actually, intermediate looks more like:
>>> kECDHE:kDHE:kRSA:+SHA:!MEDIUM:!LOW:!aNULL:!eNULL:!DSS:!RC4:!3DES
>
> The CipherSuite above is perfectly fine with all versions AFAICT...

I spoke too quickly, libressl does not understand the k prefix (which
is implicit), so this should rather be:
ECDHE:DHE:RSA:+SHA:!EXPORT:!MEDIUM:!LOW:!aNULL:!eNULL:!DSS:!RC4:!3DES
It works with openssl too (including 0.9.8, FWIW, since I added !EXPORT)...

On Thu, Aug 25, 2016 at 11:34 PM, Jacob Champion <champion.p@gmail.com> wrote:
> On 08/25/2016 02:04 PM, Jacob Champion wrote:
>>
>> (HIGH was supposed to be the evolutive way to go, but IIRC that failed
>> due to backwards compatibility concerns when OpenSSL tried to remove the
>> weak ciphers from it.)
>
>
> (For more exciting reading on the cipher compatibility saga, see
>
>    https://mta.openssl.org/pipermail/openssl-dev/2016-February/005171.html

Note that this thread recommends:
  DEFAULT:!EXPORT:!LOW:!MEDIUM
which, with openssl 1.1, selects DHE-RSA-AES256-SHA before e.g.
ECDHE-ECDSA-CHACHA20-POLY1305.
So some tuning is needed there too...

---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org


Mime
View raw message