oss-sec mailing list archives
Re: openssl default ciphers
From: Hanno Böck <hanno () hboeck de>
Date: Mon, 4 Nov 2013 18:49:06 +0100
On Mon, 4 Nov 2013 18:16:30 +0100 Stefan Bühler <stbuehler () lighttpd net> wrote:
Is 'DEFAULT@STRENGTH:!LOW:!EXP' (should be similar to 'HIGH:MEDIUM:!aNULL') a reasonably default?
SSLCipherSuite HIGH:!MEDIUM:!LOW:!aNULL@STRENGTH should be fine. There are basically near zero browsers out there that should have any problems with that. Even dinosaurs like IE6 can work with this, you don't need "medium" ciphers as long as you don't want to make a site accessible to browser museums. And looking at what medium includes that high doesn't, it seems you really don't want that ancient cipher suites: -DHE-RSA-SEED-SHA -DHE-DSS-SEED-SHA -SEED-SHA -IDEA-CBC-SHA -IDEA-CBC-MD5 -RC2-CBC-MD5 -ECDHE-RSA-RC4-SHA -ECDHE-ECDSA-RC4-SHA -ECDH-RSA-RC4-SHA -ECDH-ECDSA-RC4-SHA -RC4-SHA -RC4-MD5 -RC4-MD5 -PSK-RC4-SHA -- Hanno Böck http://hboeck.de/ mail/jabber: hanno () hboeck de GPG: BBB51E42
Attachment:
signature.asc
Description:
Current thread:
- openssl default ciphers Stefan Bühler (Nov 04)
- Re: openssl default ciphers Daniel Kahn Gillmor (Nov 04)
- Re: openssl default ciphers Eric H. Christensen (Nov 04)
- Re: openssl default ciphers Hanno Böck (Nov 04)
- Re: openssl default ciphers Russ Allbery (Nov 04)
- Re: openssl default ciphers Stefan Bühler (Nov 04)
- Re: openssl default ciphers Mike (Nov 04)
- Re: openssl default ciphers Eric H. Christensen (Nov 04)
- Re: openssl default ciphers leToff (Nov 04)
- Re: openssl default ciphers Stefan Bühler (Nov 05)
- Re: openssl default ciphers Florian Weimer (Nov 05)