i'm ok with it
Jasper Lievisse Adriaanse(jas...@openbsd.org) on 2018.08.17 21:21:25 +0200:
> Hi,
>
> The current limit on 'tls ciphers' is 255 characters which prevents using
> the cipher list as recommended by
> https://mozilla.github.io/server-side-tls/ssl-config-generator/
> for example (clocks in just shy of 300 characters).
>
> tls ciphers
> "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
>
> results in a "ciphers too long" error.
>
> I'm aware that 'secure' and 'compat' are available too, but perhaps
> we can increase the limit a bit?
>
> Cheers,
> Jasper
>
> Index: httpd.h
> ===
> RCS file: /cvs/src/usr.sbin/httpd/httpd.h,v
> retrieving revision 1.138
> diff -u -p -r1.138 httpd.h
> --- httpd.h 20 Jun 2018 16:43:05 - 1.138
> +++ httpd.h 17 Aug 2018 12:42:37 -
> @@ -60,7 +60,7 @@
> #define HTTPD_LOGVIS VIS_NL|VIS_TAB|VIS_CSTYLE
> #define HTTPD_TLS_CERT "/etc/ssl/server.crt"
> #define HTTPD_TLS_KEY"/etc/ssl/private/server.key"
> -#define HTTPD_TLS_CONFIG_MAX 255
> +#define HTTPD_TLS_CONFIG_MAX 512
> #define HTTPD_TLS_CIPHERS"compat"
> #define HTTPD_TLS_DHE_PARAMS "none"
> #define HTTPD_TLS_ECDHE_CURVES "default"
>
> --
> jasper
>