> On May 26, 2016, at 9:44 AM, Angus Robertson - Magenta Systems Ltd > <an...@magsys.co.uk> wrote: > > I have two custom Windows web sites, running released and beta versions > of OpenSSL. The beta version only gets an A- score with SSL Labs, > whereas the release version gets A+. > > https://www1.telecom-tariffs.co.uk/serverinfo.htm > > shows server status, and that it's running OpenSSL 1.1.0-pre5 (beta) 19 > Apr 2016, SSL Labs says: 'Cipher Suites (sorted by strength as the > server has no preference;) The server does not support Forward Secrecy > with the reference browsers. Grade reduced to A-.' > > https://www.telecom-tariffs.co.uk/serverinfo.htm > > is the main live server running OpenSSL 1.0.2h 3 May 2016, and gets a > score A+ saying 'Cipher Suites (SSL 3+ suites in server-preferred > order)'.
Sites like SSL Labs sometimes have bugs, and also your server configuration may lack DHE or ECDHE parameters. In any case, OpenSSL 1.1.0 beta does support server preference, and I don't think any recent commits either broke or fixed this. Testing against with Postfix compiled against HEAD I see: # postconf -e "tls_preempt_cipherlist = no" # postfix reload postfix/postfix-script: refreshing the Postfix mail system # posttls-finger -Lsummary -lencrypt -c -o "tls_medium_cipherlist = AES128-SHA:AES256-SHA" "[localhost]:25" posttls-finger: Untrusted TLS connection established to localhost[127.0.0.1]:25: TLSv1.2 with cipher AES128-SHA (128/128 bits) # postconf -e "tls_preempt_cipherlist = yes" # postfix reload postfix/postfix-script: refreshing the Postfix mail system # posttls-finger -Lsummary -lencrypt -c -o "tls_medium_cipherlist = AES128-SHA:AES256-SHA" "[localhost]:25" posttls-finger: Untrusted TLS connection established to localhost[127.0.0.1]:25: TLSv1.2 with cipher AES256-SHA (256/256 bits) Which shows the server preference in effect for the second connection (AES256 used despite client's preference for AES128). -- Viktor. -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev