On Thu, Aug 25, 2016 at 11:04 PM, Jacob Champion <champio...@gmail.com> wrote: > On 08/25/2016 01:44 PM, Yann Ylavic wrote: >> >> On Thu, Aug 25, 2016 at 10:26 PM, Yann Ylavic <ylavic....@gmail.com> >> wrote: >>> >>> An exhaustive ciphers list looks not evolutive to me, and depends on >>> the SSL library version. >>> >>> "Modern" ciphers could possibly be defined by >>> 'kECDHE:!MEDIUM:!LOW:!aNULL:!eNULL:!SSLv3', and "Intermediate" ones >>> with 'kECDHE:kRSA:!MEDIUM:!LOW:!aNULL:!eNULL:!SSLv3'. >> >> >> Actually, intermediate looks more like: >> kECDHE:kDHE:kRSA:+SHA:!MEDIUM:!LOW:!aNULL:!eNULL:!DSS:!RC4:!3DES > > I think this illustrates the problem with attempting a forward-facing > cipherstring: in the end, you still have to plug it into OpenSSL to see what > ciphers you get out, and check if all of those options are "strong ciphers". > If not, you add yet another exception, rinse, and repeat.
I find this CipherSuite quite evolutive and unsurprising (key exchange algorithms don't change or are introduced too often, that's an euphemism :), if a cipher proves to be weak, add it to the :!END and be done (like RC4 and 3DES recently). Contrarywise with the exhaustive list method, if you upgrade e.g. from openssl 1.0 to 1.1 you have to figure out what the new strong ciphers are before adding them (like CHACHA/POLY1305, or CHACHA-GCM with libreSSL, or ..). The CipherSuite above is perfectly fine with all versions AFAICT... --------------------------------------------------------------------- To unsubscribe, e-mail: docs-unsubscr...@httpd.apache.org For additional commands, e-mail: docs-h...@httpd.apache.org
