oss-sec mailing list archives

Re: openssl default ciphers

From: Hanno Böck <hanno () hboeck de>
Date: Mon, 4 Nov 2013 18:49:06 +0100

On Mon, 4 Nov 2013 18:16:30 +0100
Stefan Bühler <stbuehler () lighttpd net> wrote:

Is 'DEFAULT@STRENGTH:!LOW:!EXP' (should
be similar to 'HIGH:MEDIUM:!aNULL') a reasonably default?


SSLCipherSuite HIGH:!MEDIUM:!LOW:!aNULL@STRENGTH
should be fine. There are basically near zero browsers out there that
should have any problems with that. Even dinosaurs like IE6 can work
with this, you don't need "medium" ciphers as long as you don't want to
make a site accessible to browser museums.

And looking at what medium includes that high doesn't, it seems you
really don't want that ancient cipher suites:
-DHE-RSA-SEED-SHA
-DHE-DSS-SEED-SHA
-SEED-SHA
-IDEA-CBC-SHA
-IDEA-CBC-MD5
-RC2-CBC-MD5
-ECDHE-RSA-RC4-SHA
-ECDHE-ECDSA-RC4-SHA
-ECDH-RSA-RC4-SHA
-ECDH-ECDSA-RC4-SHA
-RC4-SHA
-RC4-MD5
-RC4-MD5
-PSK-RC4-SHA


-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno () hboeck de
GPG: BBB51E42

Attachment: signature.asc
Description:

Current thread:

openssl default ciphers Stefan Bühler (Nov 04)
- Re: openssl default ciphers Daniel Kahn Gillmor (Nov 04)
- Re: openssl default ciphers Eric H. Christensen (Nov 04)
- Re: openssl default ciphers Hanno Böck (Nov 04)
  - Re: openssl default ciphers Russ Allbery (Nov 04)
  - Re: openssl default ciphers Stefan Bühler (Nov 04)
    - Re: openssl default ciphers Mike (Nov 04)
    - Re: openssl default ciphers Eric H. Christensen (Nov 04)
    - Re: openssl default ciphers leToff (Nov 04)
    - Re: openssl default ciphers Stefan Bühler (Nov 05)
- Re: openssl default ciphers Reed Loden (Nov 04)
  - Re: openssl default ciphers Florian Weimer (Nov 05)