oss-sec mailing list archives

Re: openssl default ciphers

From: Russ Allbery <eagle () eyrie org>
Date: Mon, 04 Nov 2013 09:58:35 -0800

Hanno Böck <hanno () hboeck de> writes:

SSLCipherSuite HIGH:!MEDIUM:!LOW:!aNULL@STRENGTH
should be fine. There are basically near zero browsers out there that
should have any problems with that. Even dinosaurs like IE6 can work
with this, you don't need "medium" ciphers as long as you don't want to
make a site accessible to browser museums.


Just to data-point on compatibility, we've been using:

SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM:!ADH:!SSLv2:@STRENGTH

(not quite as strong as what you mention above; we should look at
changing) for all of Stanford's SSL web sites for years and years now, and
have never had a single complaint.

-- 
Russ Allbery (eagle () eyrie org)              <http://www.eyrie.org/~eagle/>

Current thread:

openssl default ciphers Stefan Bühler (Nov 04)
- Re: openssl default ciphers Daniel Kahn Gillmor (Nov 04)
- Re: openssl default ciphers Eric H. Christensen (Nov 04)
- Re: openssl default ciphers Hanno Böck (Nov 04)
  - Re: openssl default ciphers Russ Allbery (Nov 04)
  - Re: openssl default ciphers Stefan Bühler (Nov 04)
    - Re: openssl default ciphers Mike (Nov 04)
    - Re: openssl default ciphers Eric H. Christensen (Nov 04)
    - Re: openssl default ciphers leToff (Nov 04)
    - Re: openssl default ciphers Stefan Bühler (Nov 05)
- Re: openssl default ciphers Reed Loden (Nov 04)
  - Re: openssl default ciphers Florian Weimer (Nov 05)