On Thu, Mar 29, 2018 at 11:39 AM, Yann Ylavic <[email protected]> wrote: > On Thu, Mar 29, 2018 at 10:16 AM, Stefan Eissing > <[email protected]> wrote: >> >> Along the gist of your proposal, I think I'll expand "SSLCipherSuite" >> to take more than 1 argument and look for optional prefixes to the >> suite strings given, so one could do >> >> # as before, applies to all TLS protocols <=TLSv1.2 SSLCipherSuite >> XXX:YY:-AASSD:DSDS >> >> # Set ciphers for TLSv1.3, does not replace the previous line >> SSLCipherSuite TLSv1.3 TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256 >> >> So, the directive becomes: >> >> SSLCipherSuite [ ProtocolClass ] Cipher-String >> >> where ProtocolClass is: >> SSL (default) all TLS/SSL Protocols <= TLSv1.2 >> TLSv1.3 TLS version 1.3 > > Looks good to me. > I wonder if it's not applicable to TLSv1.2 already, there is a number > of ciphers available to 1.2 only (with openssl < 1.1).
(e.g. GCMs, CHACHA+POLYs, SHA-2s ...) > > Thanks, > Yann.
