Am 08.11.2015 um 12:48 schrieb Adi Kriegisch: > The other way around: you *only* need SHA1 support. All newer > implementations are well aware of ECDHE and DHE and thus will choose > ephemeral ciphers anyways.
Ah - OK, sorry I just misunderstood your former mail. > Actually I wouldn't do that too: now you have first ECDHE TLSv1.2-TLSv1.0 > and then DHE TLSv1.2-TLSv1.0. I'd very much recommend to prefer TLS1.2 over > all TLSv1.0 ciphers, no matter if they are ECDHE or DHE... OK. So push back the older TLSv1 ciphers too by adding "+TLSv1" on the right position: $ openssl ciphers -v '-ALL:ECDH+aRSA+AES:DH+aRSA+AES:aRSA+kRSA+AES:+AES256:+TLSv1:+kRSA' | cut -f1 -d" " ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 ECDHE-RSA-AES128-SHA DHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA DHE-RSA-AES256-SHA AES128-GCM-SHA256 AES128-SHA256 AES256-GCM-SHA384 AES256-SHA256 AES128-SHA AES256-SHA Tested on OpenSSL 1.0.1k 8 Jan 2015 on Debian 8.2 OpenSSL 1.0.1e-fips 11 Feb 2013 on CentOS 7.1 OpenSSL 1.0.1e 11 Feb 2013 on Debian 7 OpenSSL 0.9.8o 01 Jun 2010 on Debian 6 (only offering SHA1 and kRSA / DH Ciphers but not SHA2 and no ECDH) _______________________________________________ Ach mailing list [email protected] http://lists.cert.at/cgi-bin/mailman/listinfo/ach
