Is there any downside to adding @STRENGTH to the cipher list? From "man
ciphers" (openssl), "the cipher string @STRENGTH can be used at any point
to sort the current cipher list in order of encryption algorithm key
For example, the current default is:
which I've changed to the following in my installation:
Confirming the resulting list via "openssl ciphers -v
'HIGH+kEDH:HIGH+kEECDH:@STRENGTH:HIGH:!PSK:!SRP:!3DES:!aNULL'" shows that
the ephemeral suites are still listed before the non-ephemeral suites, but
now the longer encryption keys are also preferred over shorter ones. (for
a given enc key length, EDH and still preferred over EECDH)
Without @STRENGTH, the default list prefers any EDH suite (such as 128 bit
keys) over any EECDH suite (including 256 bit keys). But by adding
@STRENGTH, now EDH or EECDH 256 bit enc keys are preferred over EDH or
EECDH 128 bit enc keys...
Using the test at xmpp.net to confirm, here's the default cipher list
before adding @STRENGTH:
and here's the list after adding @STRENGTH:
Is there any reason to not include @STRENGTH?
Going one step further, we can also sort the hash functions (for each enc
key length) so that stronger hashes are preferred before weaker ones.
Adding ":+SHA384:+SHA256:+SHA:" just before @STRENGTH such as:
(ephemeral preferred over non-ephemeral, then longer encryption keys over
shorter ones, and lastly, stronger hashes over weaker.)
note: I wish openssl had a "@HASHSTRENGTH" string for sorting by hash
strength, rather than hard coding the "SHA384", "SHA256" and "SHA"
strings... then the combination could just be:
"...:@HASHSTRENGTH:@STRENGTH:...". Or perhaps if sorting could be
generalized such as "@SORTHASH:@SORTENC:@SORTEPHEMERAL", then the whole
string could become:
You received this message because you are subscribed to the Google Groups
To unsubscribe from this group and stop receiving emails from it, send an email
To post to this group, send email to firstname.lastname@example.org.
Visit this group at http://groups.google.com/group/prosody-dev.
For more options, visit https://groups.google.com/d/optout.