Re: H2 compatible ciphers (was: svn commit: r1708593)

Chris Fri, 16 Oct 2015 06:30:01 -0700

interesting that chrome is happily using h2 on my domain that I
activated for h2 earlier and I have a couple of banned ciphers in
mod_ssl.


On 16 October 2015 at 13:33, Yann Ylavic <[email protected]> wrote:
> On Fri, Oct 16, 2015 at 1:38 PM, Yann Ylavic <[email protected]> wrote:
>>
>> Actually I tried some brute bash script (attached) to show what
>> remains compared to "openssl ciphers ALL", and the result is:
>>
>> * libressl/install/2.2.1/bin/openssl:
>> - ECDHE-ECDSA-CHACHA20-POLY1305
>> - ECDHE-RSA-CHACHA20-POLY1305
>> - DHE-RSA-CHACHA20-POLY1305
>> - ECDHE-RSA-AES256-GCM-SHA384
>> - ECDHE-ECDSA-AES256-GCM-SHA384
>> - DHE-DSS-AES256-GCM-SHA384
>> - DHE-RSA-AES256-GCM-SHA384
>> - GOST2012256-GOST89-GOST89
>> - GOST2001-GOST89-GOST89
>> - ECDHE-RSA-AES128-GCM-SHA256
>> - ECDHE-ECDSA-AES128-GCM-SHA256
>> - DHE-DSS-AES128-GCM-SHA256
>> - DHE-RSA-AES128-GCM-SHA256
>> - EDH-RSA-DES-CBC3-SHA
>> - EDH-DSS-DES-CBC3-SHA
>> - EDH-RSA-DES-CBC-SHA
>> - EDH-DSS-DES-CBC-SHA
>>
>> * openssl/install/1.0.2d/bin/openssl:
>> - ECDHE-RSA-AES256-GCM-SHA384
>> - ECDHE-ECDSA-AES256-GCM-SHA384
>> - DHE-DSS-AES256-GCM-SHA384
>> - DHE-RSA-AES256-GCM-SHA384
>> - ECDHE-RSA-AES128-GCM-SHA256
>> - ECDHE-ECDSA-AES128-GCM-SHA256
>> - DHE-DSS-AES128-GCM-SHA256
>> - DHE-RSA-AES128-GCM-SHA256
>> - EDH-RSA-DES-CBC3-SHA
>> - EDH-DSS-DES-CBC3-SHA
>> - EDH-RSA-DES-CBC-SHA
>> - EDH-DSS-DES-CBC-SHA
>> - EXP-EDH-RSA-DES-CBC-SHA
>> - EXP-EDH-DSS-DES-CBC-SHA
>>
>> So 'TLSv1.2:!kRSA:!aECDH:!DH' is a bit too restrictive
>
> Looks like 'ALL:!SSLv3:!kRSA:!ADH:!aECDH' matches pretty well
> (excluding for the undesirable ones above).

Re: H2 compatible ciphers (was: svn commit: r1708593)

Reply via email to