Is there any downside to adding @STRENGTH to the cipher list?  From "man 
ciphers" (openssl), "the cipher string @STRENGTH can be used at any point 
to sort the current cipher list in order of encryption algorithm key 

For example, the current default is:

which I've changed to the following in my installation:

Confirming the resulting list via "openssl ciphers -v 
the ephemeral suites are still listed before the non-ephemeral suites, but 
now the longer encryption keys are also preferred over shorter ones.  (for 
a given enc key length, EDH and still preferred over EECDH)

Without @STRENGTH, the default list prefers any EDH suite (such as 128 bit 
keys) over any EECDH suite (including 256 bit keys).  But by adding 
@STRENGTH, now EDH or EECDH 256 bit enc keys are preferred over EDH or 
EECDH 128 bit enc keys...

Using the test at to confirm, here's the default cipher list 
before adding @STRENGTH:

and here's the list after adding @STRENGTH:

Is there any reason to not include @STRENGTH?

Going one step further, we can also sort the hash functions (for each enc 
key length) so that stronger hashes are preferred before weaker ones.

Adding ":+SHA384:+SHA256:+SHA:" just before @STRENGTH such as:

results in:
(ephemeral preferred over non-ephemeral, then longer encryption keys over 
shorter ones, and lastly, stronger hashes over weaker.)

- David

note: I wish openssl had a "@HASHSTRENGTH" string for sorting by hash 
strength, rather than hard coding the "SHA384", "SHA256" and "SHA" 
strings...  then the combination could just be: 
"...:@HASHSTRENGTH:@STRENGTH:...".  Or perhaps if sorting could be 
generalized such as "@SORTHASH:@SORTENC:@SORTEPHEMERAL", then the whole 
string could become: 

You received this message because you are subscribed to the Google Groups 
"prosody-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
To post to this group, send email to
Visit this group at
For more options, visit

Reply via email to