httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yann Ylavic <ylavic....@gmail.com>
Subject Re: Requesting review for SSL how-to changes (r1757280)
Date Thu, 25 Aug 2016 21:37:57 GMT
On Thu, Aug 25, 2016 at 11:04 PM, Jacob Champion <champion.p@gmail.com> wrote:
> On 08/25/2016 01:44 PM, Yann Ylavic wrote:
>>
>> On Thu, Aug 25, 2016 at 10:26 PM, Yann Ylavic <ylavic.dev@gmail.com>
>> wrote:
>>>
>>> An exhaustive ciphers list looks not evolutive to me, and depends on
>>> the SSL library version.
>>>
>>> "Modern" ciphers could possibly be defined by
>>> 'kECDHE:!MEDIUM:!LOW:!aNULL:!eNULL:!SSLv3', and "Intermediate" ones
>>> with 'kECDHE:kRSA:!MEDIUM:!LOW:!aNULL:!eNULL:!SSLv3'.
>>
>>
>> Actually, intermediate looks more like:
>> kECDHE:kDHE:kRSA:+SHA:!MEDIUM:!LOW:!aNULL:!eNULL:!DSS:!RC4:!3DES
>
> I think this illustrates the problem with attempting a forward-facing
> cipherstring: in the end, you still have to plug it into OpenSSL to see what
> ciphers you get out, and check if all of those options are "strong ciphers".
> If not, you add yet another exception, rinse, and repeat.

I find this CipherSuite quite evolutive and unsurprising (key exchange
algorithms don't change or are introduced too often, that's an
euphemism :), if a cipher proves to be weak, add it to the :!END and
be done (like RC4 and 3DES recently).

Contrarywise with the exhaustive list method, if you upgrade e.g. from
openssl 1.0 to 1.1 you have to figure out what the new strong ciphers
are before adding them (like CHACHA/POLY1305, or CHACHA-GCM with
libreSSL, or ..).

The CipherSuite above is perfectly fine with all versions AFAICT...

---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org


Mime
View raw message