On 08/25/2016 01:44 PM, Yann Ylavic wrote:
On Thu, Aug 25, 2016 at 10:26 PM, Yann Ylavic <ylavic....@gmail.com> wrote:
An exhaustive ciphers list looks not evolutive to me, and depends on
the SSL library version.
"Modern" ciphers could possibly be defined by
'kECDHE:!MEDIUM:!LOW:!aNULL:!eNULL:!SSLv3', and "Intermediate" ones
with 'kECDHE:kRSA:!MEDIUM:!LOW:!aNULL:!eNULL:!SSLv3'.
Actually, intermediate looks more like:
kECDHE:kDHE:kRSA:+SHA:!MEDIUM:!LOW:!aNULL:!eNULL:!DSS:!RC4:!3DES
I think this illustrates the problem with attempting a forward-facing
cipherstring: in the end, you still have to plug it into OpenSSL to see
what ciphers you get out, and check if all of those options are "strong
ciphers". If not, you add yet another exception, rinse, and repeat.
(HIGH was supposed to be the evolutive way to go, but IIRC that failed
due to backwards compatibility concerns when OpenSSL tried to remove the
weak ciphers from it.)
If we have to review the list periodically anyway to make sure that our
cipherstring spits out only strong ciphers -- and IMHO we absolutely
should be doing that -- why not adopt an exhaustive list, and just keep
it up to date?
--Jacob
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscr...@httpd.apache.org
For additional commands, e-mail: docs-h...@httpd.apache.org
