On 2015-07-18 3:44 PM, Eric Covener wrote:
On Sat, Jul 18, 2015 at 8:47 AM, Michael Felt<[email protected]> wrote:
* Should the server determine that for a specific "Location"/"Directory"
more strict levels
are needed then a new handshake (renegotiate if you prefer) for a stricter
cipher should start. However, based on the assumption above (the strictest
cipher that the client has is already being used) - this should always fail
because the client is not already at that level.
The assumption is not right. The servers list and the clients list
are in an arbitrary order decided by whoever wrote and configured the
software, and the server can choose to honor either (or neither, but
that would be weird) ordering. Also, some ciphers do not have such a
strict relative ordering of strength.
That is the problem with 'assumptions' of course. Assumptions are
frequently wrong.
By specifying "defaults" I was hoping that httpd defaults would
behave/order from highest to lowest - however, it seems OpenSSL never
came up with a good naming scheme of "better" to worse. The closest you
can get to a listing of defaults (I read elsewhere) is the output of the
command "openssl ciphers -v"
