On Sun, Nov 24, 2013 at 08:56:30AM -0800, James Peach wrote:
> On Nov 24, 2013, at 6:47 AM, Jan-Frode Myklebust <[email protected]> wrote:
>
> > Is it possible to configure ATS for forward secrecy? I've tried using
> > the same cipher suites as we use for apache httpd,
>
> Since it works in httpd, I assume that your OpenSSL supports the right set of
> cipher suites?
Yes, it should. Here's a httpd/mod_ssl/openssl-1.0.1e-16.el6_5.x86_64 report:
SSLCipherSuite
EECDH+AES:EECDH+RC4:EECDH+AES256:EDH+AES:EDH+RC4:EDH+AES256:RC4-SHA:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5
https://www.ssllabs.com/ssltest/analyze.html?d=altibetamail.altibox.net
and ATS 4.0.2/openssl-1.0.1e-16.el6_5.x86_64 using same cipher list:
CONFIG proxy.config.ssl.server.cipher_suite STRING
EECDH+AES:EECDH+RC4:EECDH+AES256:EDH+AES:EDH+RC4:EDH+AES256:RC4-SHA:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5
https://www.ssllabs.com/ssltest/analyze.html?d=dibs.tanso.net
Of the cipher list, only these are offered with ATS:
TLS_RSA_WITH_RC4_128_SHA (0x5) 128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256
httpd/mod_ssl additionally offers:
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 1024 bits (p: 128, g:
1, Ys: 128) FS 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) DH 1024 bits (p: 128, g:
1, Ys: 128) FS 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 1024 bits (p: 128, g: 1,
Ys: 128) FS 256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 1024 bits (p: 128, g:
1, Ys: 128) FS 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) DH 1024 bits (p: 128, g:
1, Ys: 128) FS 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 1024 bits (p: 128, g: 1,
Ys: 128) FS
-jf
