On Thu, Aug 25, 2016 at 11:37 PM, Yann Ylavic <ylavic....@gmail.com> wrote: >>> >>> Actually, intermediate looks more like: >>> kECDHE:kDHE:kRSA:+SHA:!MEDIUM:!LOW:!aNULL:!eNULL:!DSS:!RC4:!3DES > > The CipherSuite above is perfectly fine with all versions AFAICT...
I spoke too quickly, libressl does not understand the k prefix (which is implicit), so this should rather be: ECDHE:DHE:RSA:+SHA:!EXPORT:!MEDIUM:!LOW:!aNULL:!eNULL:!DSS:!RC4:!3DES It works with openssl too (including 0.9.8, FWIW, since I added !EXPORT)... On Thu, Aug 25, 2016 at 11:34 PM, Jacob Champion <champio...@gmail.com> wrote: > On 08/25/2016 02:04 PM, Jacob Champion wrote: >> >> (HIGH was supposed to be the evolutive way to go, but IIRC that failed >> due to backwards compatibility concerns when OpenSSL tried to remove the >> weak ciphers from it.) > > > (For more exciting reading on the cipher compatibility saga, see > > https://mta.openssl.org/pipermail/openssl-dev/2016-February/005171.html Note that this thread recommends: DEFAULT:!EXPORT:!LOW:!MEDIUM which, with openssl 1.1, selects DHE-RSA-AES256-SHA before e.g. ECDHE-ECDSA-CHACHA20-POLY1305. So some tuning is needed there too... --------------------------------------------------------------------- To unsubscribe, e-mail: docs-unsubscr...@httpd.apache.org For additional commands, e-mail: docs-h...@httpd.apache.org
