To continue the CipherString-B Discussion: I try to sum up some thoughts: 1) The Ciphers in current CipherString-B are sane but not ideally sorted on all Versions of OpenSSL. 2) Camellia could be considered to be removed. 3) Performance: ECDHE could be prefered over DHE 4) Performance: AES128 could be prefered over AES256 5) deactivating Ciphers one by one in OpenSSL gives not predictable results in newer versions as newer ciphers will be added
so I tried to do it the other way round: 1. Disable all Ciphers 2. Add the Ciphers which are sane 3. Do the Sorting My result is: -ALL:ECDH+aRSA+AES:DH+aRSA+AES:aRSA+kRSA+AES:+AES256 To explain: 1) -ALL ... removes all Ciphers, now the List should be REALLY empty on all OpenSSL Versions 2) ECDH+aRSA adds the sane ECDHE modes only: ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA 3) DH+aRSA+AES adds the sane DHE modes only: DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA 3) aRSA+kRSA+AES adds some sane none-PFS Modes for compatibility: AES256-GCM-SHA384 AES256-SHA256 AES256-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA 4) and the "+AES256" pushes back AES256 to prefer AES128, which obviously doesn't work on all older Versions but on current Versions. the Result is: $ openssl ciphers -v '-ALL:ECDH+aRSA+AES:DH+aRSA+AES:aRSA+kRSA+AES:+AES256' | cut -f1 -d" " ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA Default configured Clients should always connect ECDH-AES128, when not Supporting ECDH they will fall back to DHE-AES128, if a clients doesn't support PFS Ciphers there is still a possibility to connect by the AES+RSA Ciphers. Only if a client disabled AES128 it will use the stronger AES256 Suites. What do you think? Would this cipher-String even lead to other results on older / newer Versions of OpenSSL? I think the problem should be reduced significantly because of Disabling all with "-ALL". The AES-Order is well defined. Of course the GCM/AES Order and the SHA-Orders could be mixed up in an other order using other OpenSSL Versions. I tested it on OpenSSL 1.0.1k 8 Jan 2015 on Debian 8.2 OpenSSL 1.0.1e-fips 11 Feb 2013 on CentOS 7.1 OpenSSL 1.0.1e-fips 11 Feb 2013 on CentOS 6.7 and for old Version compatibility: OpenSSL 0.9.8o 01 Jun 2010 on Debian 6, which has no ECDHE and SHA2-Support, so this string works but leads to this short list of "Last-Hope" Ciphers: DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA _______________________________________________ Ach mailing list [email protected] http://lists.cert.at/cgi-bin/mailman/listinfo/ach
