Anyone on this mailing list with a decent knowledge of SSL ciphers?

I added the Mozilla recommended SSL cipher lists to ICS a few months ago, but
most of the better ciphers were ignored.  When I finally had time to
investigate, it transpired many needed extra OpenSSL APIs to be set before they
were usable.  Thus the changes this week that add DH and EC key support.  

However my testing using Firefox and MSIE 11 still does give the best ciphers
from the list.

Testing against the ICS web server with the latest ICS, this page displays the
handshake used: 

https://www.telecom-tariffs.co.uk/serverinfo.htm

For Firefox, I now get: TLSv1.2, cipher ECDHE-RSA-AES128-GCM-SHA256, key
exchange ECDH, encryption AESGCM(128), message authentication AEAD

but don't seem to get ciphers with AES256 or SHA384.

For MSIE 11, original testing got: TLSv1, cipher ECDHE-RSA-AES128-SHA, key
exchange ECDH, encryption AES(128), message authentication SHA1

but then I changed something and the current ICS gives: TLSv1.2, cipher
DHE-RSA-AES128-GCM-SHA256, key exchange DH, encryption AESGCM(128), message
authentication AEAD

so MSIE is now using TLS 1.2, but not EC ciphers, nor AES256 or SHA384.

It could be I'm using Elliptic Curves that MSIE does not like, but the OpenSSL
documentation on these seems non-existent.

Maybe I've missed some other API needed to support AES256. 

It's possible some of this is related to DH Parameter key sizes, we currently
only support one size from a file, but there is another API I've not
implemented yet that supports four key sizes (if supplied). I know that using a
DH 2048 bit key stops MSIE 11 with no SSL, likewise ECHD-P512 stops MSIE.  

Angus



 



 

-- 
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be

Reply via email to