:: On Tue, 12 Apr 2016 11:23:57 +0200 :: <titc.2910a237aa.of5e0a2321.7456b3cf-onc1257f93.003256a3-c1257f93.0033a...@thockar.com> :: Thomas Eckardt <thomas.ecka...@thockar.com> wrote:
> SSL_version:=SSLv2/3:!SSLv3:!SSLv2 > SSL_cipher_list:=DEFAULT:!aNULL:!RC4:!MD5 in case someone is interested, here's my config (watch the wrap) DoTLS := do TLS SSL_version := SSLv23:!SSLv3:!SSLv2 SSL_cipher_list := kEECDH+ECDSA:kEECDH:kEDH:HIGH:+SHA:+RC4:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!DSS:!PSK:!SRP:!kECDH:!CAMELLIA128:!IDEA:!SEED the above prioritizes strong ciphers while allowing a graceful fallback to weaker ones to mantain support for obsolete clients; it's serving me well and I feel like I can recommend it; the resulting ciphers offered by ASSP with the above config will then be the following Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA384 Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA256 Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA256 Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256 Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA256 Accepted TLSv1.2 256 bits AES256-GCM-SHA384 Accepted TLSv1.2 256 bits AES256-SHA256 Accepted TLSv1.2 128 bits AES128-GCM-SHA256 Accepted TLSv1.2 128 bits AES128-SHA256 Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA Accepted TLSv1.2 256 bits DHE-RSA-CAMELLIA256-SHA Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA Accepted TLSv1.2 256 bits AES256-SHA Accepted TLSv1.2 256 bits CAMELLIA256-SHA Accepted TLSv1.2 128 bits AES128-SHA Accepted TLSv1.2 128 bits ECDHE-RSA-RC4-SHA Accepted TLSv1.2 128 bits RC4-SHA Preferred TLSv1.1 256 bits ECDHE-RSA-AES256-SHA Accepted TLSv1.1 128 bits ECDHE-RSA-AES128-SHA Accepted TLSv1.1 256 bits DHE-RSA-AES256-SHA Accepted TLSv1.1 256 bits DHE-RSA-CAMELLIA256-SHA Accepted TLSv1.1 128 bits DHE-RSA-AES128-SHA Accepted TLSv1.1 256 bits AES256-SHA Accepted TLSv1.1 256 bits CAMELLIA256-SHA Accepted TLSv1.1 128 bits AES128-SHA Accepted TLSv1.1 128 bits ECDHE-RSA-RC4-SHA Accepted TLSv1.1 128 bits RC4-SHA Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Accepted TLSv1.0 128 bits ECDHE-RSA-AES128-SHA Accepted TLSv1.0 256 bits DHE-RSA-AES256-SHA Accepted TLSv1.0 256 bits DHE-RSA-CAMELLIA256-SHA Accepted TLSv1.0 128 bits DHE-RSA-AES128-SHA Accepted TLSv1.0 256 bits AES256-SHA Accepted TLSv1.0 256 bits CAMELLIA256-SHA Accepted TLSv1.0 128 bits AES128-SHA Accepted TLSv1.0 128 bits ECDHE-RSA-RC4-SHA Accepted TLSv1.0 128 bits RC4-SHA as you see, the ciphers allow to fallback all the way down to RC4-SHA so allowing even really obsolete clients to connect over SSL; at the same time, the preferred ciphers are the strongest one offered, this means that up-to-date clients will have strong security HTH ------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z _______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
