Anyone on this mailing list with a decent knowledge of SSL ciphers? I added the Mozilla recommended SSL cipher lists to ICS a few months ago, but most of the better ciphers were ignored. When I finally had time to investigate, it transpired many needed extra OpenSSL APIs to be set before they were usable. Thus the changes this week that add DH and EC key support.
However my testing using Firefox and MSIE 11 still does give the best ciphers from the list. Testing against the ICS web server with the latest ICS, this page displays the handshake used: https://www.telecom-tariffs.co.uk/serverinfo.htm For Firefox, I now get: TLSv1.2, cipher ECDHE-RSA-AES128-GCM-SHA256, key exchange ECDH, encryption AESGCM(128), message authentication AEAD but don't seem to get ciphers with AES256 or SHA384. For MSIE 11, original testing got: TLSv1, cipher ECDHE-RSA-AES128-SHA, key exchange ECDH, encryption AES(128), message authentication SHA1 but then I changed something and the current ICS gives: TLSv1.2, cipher DHE-RSA-AES128-GCM-SHA256, key exchange DH, encryption AESGCM(128), message authentication AEAD so MSIE is now using TLS 1.2, but not EC ciphers, nor AES256 or SHA384. It could be I'm using Elliptic Curves that MSIE does not like, but the OpenSSL documentation on these seems non-existent. Maybe I've missed some other API needed to support AES256. It's possible some of this is related to DH Parameter key sizes, we currently only support one size from a file, but there is another API I've not implemented yet that supports four key sizes (if supplied). I know that using a DH 2048 bit key stops MSIE 11 with no SSL, likewise ECHD-P512 stops MSIE. Angus -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be