>From: owner-openssl-us...@openssl.org On Behalf Of Bogdan Harjoc
>Sent: Thursday, 27 September, 2012 11:19
>On Thu, Sep 27, 2012 at 1:43 AM, Dave Thompson <dthomp...@prinpay.com>
wrote:
> What version of openssl, and was it built with any options? <snip>
>I tried with 1.0.0d and 1.0.1c. I was hoping to be able to just
>push ECC ciphers down in the list instead of not sending them at all.
That you can do. Use something like "DEFAULT:+ECDH" (just move to end)
or "DEFAULT:-ECDH:ECDH" (- NOT !) (remove and then add back at end).
Whether that works for "all servers" you encounter I won't guess,
but it's easy enough to try.
> On the other hand, if you want "servers we find on the internet
> that might be useful", you can probably disable all ECC (in 1.0.0+)
> and DSS. There are various people doing research on usage of SSL
> mostly HTTPS on the public net, and the published results I have
> seen consistently say something like 0.0001% DSS and zero ECC.
>I'm considering using "DEFAULT:!ECDH", thanks (although it
>disables 32 ciphers which is scary).
Only in 1.0.1 with the new TLSv1.2 features for GCM and SHA2.
Even in 1.0.0 it covers ephemeral and static and there's no apparent
reason to use static when ephemeral gives forward secrecy for free.
Within each "half" there are 2 auth methods and 4 ciphers.
Kx=RSA (with 1 auth method) is 17/13 suites and DH (with 2 auth
methods, but only ephemeral not static in openssl) is 24/16.
Those (still) include some 'export' (weak) suites, a kludge
that was no longer needed by the time ECDH got standardized.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
