On Fri, Oct 16, 2015 at 12:21 PM, Yann Ylavic <[email protected]> wrote: > > And maybe more importantly, what remains currently?
Actually I tried some brute bash script (attached) to show what remains compared to "openssl ciphers ALL", and the result is: * libressl/install/2.2.1/bin/openssl: - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - DHE-RSA-CHACHA20-POLY1305 - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-AES256-GCM-SHA384 - DHE-DSS-AES256-GCM-SHA384 - DHE-RSA-AES256-GCM-SHA384 - GOST2012256-GOST89-GOST89 - GOST2001-GOST89-GOST89 - ECDHE-RSA-AES128-GCM-SHA256 - ECDHE-ECDSA-AES128-GCM-SHA256 - DHE-DSS-AES128-GCM-SHA256 - DHE-RSA-AES128-GCM-SHA256 - EDH-RSA-DES-CBC3-SHA - EDH-DSS-DES-CBC3-SHA - EDH-RSA-DES-CBC-SHA - EDH-DSS-DES-CBC-SHA * openssl/install/1.0.2d/bin/openssl: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-AES256-GCM-SHA384 - DHE-DSS-AES256-GCM-SHA384 - DHE-RSA-AES256-GCM-SHA384 - ECDHE-RSA-AES128-GCM-SHA256 - ECDHE-ECDSA-AES128-GCM-SHA256 - DHE-DSS-AES128-GCM-SHA256 - DHE-RSA-AES128-GCM-SHA256 - EDH-RSA-DES-CBC3-SHA - EDH-DSS-DES-CBC3-SHA - EDH-RSA-DES-CBC-SHA - EDH-DSS-DES-CBC-SHA - EXP-EDH-RSA-DES-CBC-SHA - EXP-EDH-DSS-DES-CBC-SHA Some 'TLSv1.2:!kRSA:!aECDH:!DH' is a bit too restrictive, and their blacklist a bit broken anymay (I wouldn't recommend the latters :) I'll try a better one, but it would be nice if the httpwg could express their blacklist in terms of authentication/key-exchange methods and block-ciphers/stream-ciphers instead of this "out of the hat" list. By the way the SSLCompatibility idea is great, was not my point, but maybe this can give you some bits for httpwg mailing list...
