On Fri, Oct 16, 2015 at 1:38 PM, Yann Ylavic <[email protected]> wrote: > > Actually I tried some brute bash script (attached) to show what > remains compared to "openssl ciphers ALL", and the result is: > > * libressl/install/2.2.1/bin/openssl: > - ECDHE-ECDSA-CHACHA20-POLY1305 > - ECDHE-RSA-CHACHA20-POLY1305 > - DHE-RSA-CHACHA20-POLY1305 > - ECDHE-RSA-AES256-GCM-SHA384 > - ECDHE-ECDSA-AES256-GCM-SHA384 > - DHE-DSS-AES256-GCM-SHA384 > - DHE-RSA-AES256-GCM-SHA384 > - GOST2012256-GOST89-GOST89 > - GOST2001-GOST89-GOST89 > - ECDHE-RSA-AES128-GCM-SHA256 > - ECDHE-ECDSA-AES128-GCM-SHA256 > - DHE-DSS-AES128-GCM-SHA256 > - DHE-RSA-AES128-GCM-SHA256 > - EDH-RSA-DES-CBC3-SHA > - EDH-DSS-DES-CBC3-SHA > - EDH-RSA-DES-CBC-SHA > - EDH-DSS-DES-CBC-SHA > > * openssl/install/1.0.2d/bin/openssl: > - ECDHE-RSA-AES256-GCM-SHA384 > - ECDHE-ECDSA-AES256-GCM-SHA384 > - DHE-DSS-AES256-GCM-SHA384 > - DHE-RSA-AES256-GCM-SHA384 > - ECDHE-RSA-AES128-GCM-SHA256 > - ECDHE-ECDSA-AES128-GCM-SHA256 > - DHE-DSS-AES128-GCM-SHA256 > - DHE-RSA-AES128-GCM-SHA256 > - EDH-RSA-DES-CBC3-SHA > - EDH-DSS-DES-CBC3-SHA > - EDH-RSA-DES-CBC-SHA > - EDH-DSS-DES-CBC-SHA > - EXP-EDH-RSA-DES-CBC-SHA > - EXP-EDH-DSS-DES-CBC-SHA > > So 'TLSv1.2:!kRSA:!aECDH:!DH' is a bit too restrictive
Looks like 'ALL:!SSLv3:!kRSA:!ADH:!aECDH' matches pretty well (excluding for the undesirable ones above).
