Am 08.11.2015 um 12:15 schrieb Adi Kriegisch: > Supporting non-ephemeral ciphers is only ever required on certain > versions of openssl 0.9.8
> In other words: you need not provide AES*GCM-SHA2 and AES*SHA2. I tested on Debian Lenny 6 with OpenSSL 0.9.8o, it has no SHA2 support, so I decided to still include SHA1. OK, I can see you feel uncomftable with my decision to sort the Ciphers only by pushing Back AES256 which leads to old non-PFS-Ciphers between good ones. This could be easily solved by adding "+kRSA" to push back the non-PFS RSA-based-Key-Agreement Ciphers. $ openssl ciphers -v '-ALL:ECDH+aRSA+AES:DH+aRSA+AES:aRSA+kRSA+AES:+AES256:+kRSA' | cut -f1 -d" " ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA _______________________________________________ Ach mailing list [email protected] http://lists.cert.at/cgi-bin/mailman/listinfo/ach
