El día Friday, February 17, 2017 a las 09:57:39AM +, Matt Caswell escribió:
>
>
> On 17/02/17 07:46, Matthias Apitz wrote:
> > New, TLSv1/SSLv3, Cipher is DHE-DSS-AES128-GCM-SHA256
>
> Your server appears to be configured with a DSA certificate.
>
> OpenSSL 1.1.0 made changes to the default ciphersuites that get sent.
> See this CHANGES entry:
>
> *) Changes to the DEFAULT cipherlist:
>- Prefer (EC)DHE handshakes over plain RSA.
>- Prefer AEAD ciphers over legacy ciphers.
>- Prefer ECDSA over RSA when both certificates are available.
>- Prefer TLSv1.2 ciphers/PRF.
>- Remove DSS, SEED, IDEA, CAMELLIA, and AES-CCM from the
> default cipherlist.
> [Emilia Käsper]
>
> So OpenSSL 1.1.0 does not offer any DSS based ciphersuites by default
> any more. If your server only has a DSA certificate then this is going
> to fail.
Thanks. I have aadded more ciphers using SSL_set_cipher_list(3) and all
is fine now.
matthias
--
Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎
+49-176-38902045
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
