Is there any downside to adding @STRENGTH to the cipher list? From "man ciphers" (openssl), "the cipher string @STRENGTH can be used at any point to sort the current cipher list in order of encryption algorithm key length."
For example, the current default is: "HIGH+kEDH:HIGH+kEECDH:HIGH:!PSK:!SRP:!3DES:!aNULL" which I've changed to the following in my installation: "HIGH+kEDH:HIGH+kEECDH:@STRENGTH:HIGH:!PSK:!SRP:!3DES:!aNULL" Confirming the resulting list via "openssl ciphers -v 'HIGH+kEDH:HIGH+kEECDH:@STRENGTH:HIGH:!PSK:!SRP:!3DES:!aNULL'" shows that the ephemeral suites are still listed before the non-ephemeral suites, but now the longer encryption keys are also preferred over shorter ones. (for a given enc key length, EDH and still preferred over EECDH) Without @STRENGTH, the default list prefers any EDH suite (such as 128 bit keys) over any EECDH suite (including 256 bit keys). But by adding @STRENGTH, now EDH or EECDH 256 bit enc keys are preferred over EDH or EECDH 128 bit enc keys... Using the test at xmpp.net to confirm, here's the default cipher list before adding @STRENGTH: https://xmpp.net/result.php?id=46754 and here's the list after adding @STRENGTH: https://xmpp.net/result.php?id=48429 Is there any reason to not include @STRENGTH? Going one step further, we can also sort the hash functions (for each enc key length) so that stronger hashes are preferred before weaker ones. Adding ":+SHA384:+SHA256:+SHA:" just before @STRENGTH such as: "HIGH+kEDH:HIGH+kEECDH:+SHA384:+SHA256:+SHA:@STRENGTH:HIGH:!PSK:!SRP:!3DES:!aNULL" results in: https://xmpp.net/result.php?id=48444 (ephemeral preferred over non-ephemeral, then longer encryption keys over shorter ones, and lastly, stronger hashes over weaker.) - David note: I wish openssl had a "@HASHSTRENGTH" string for sorting by hash strength, rather than hard coding the "SHA384", "SHA256" and "SHA" strings... then the combination could just be: "...:@HASHSTRENGTH:@STRENGTH:...". Or perhaps if sorting could be generalized such as "@SORTHASH:@SORTENC:@SORTEPHEMERAL", then the whole string could become: "HIGH:@SORTHASH:@SORTENC:@SORTEPHEMERAL:!PSK:!SRP:!3DES:!aNULL" -- You received this message because you are subscribed to the Google Groups "prosody-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to prosody-dev+unsubscr...@googlegroups.com. To post to this group, send email to prosody-dev@googlegroups.com. Visit this group at http://groups.google.com/group/prosody-dev. For more options, visit https://groups.google.com/d/optout.