[Ach] pls pull, various changes

christian mock cm at coretec.at
Mon Nov 11 13:25:17 CET 2013

On Mon, Nov 11, 2013 at 12:32:13PM +0100, Adi Kriegisch wrote:

> > regarding the cipher suites for apache (and others) -- AFAICT you need
> > apache 2.4 to support ECDHE (debian stable has 2.2), and maybe you
> > don't trust EC. Without ECDHE, *all* versions of IE are excluded,
> > which should at least be mentioned in the document, and will probably
> > be a no-go in a commercial setting.
> nginx provides ECC in Debian/stable for example. 

Shall we go mention this in the paper? Or does that lead down an
endless pit of operating systems/distributions and their

> Regarding the cipher string you suggested:
>   tls_high_cipherlist=DHE+AESGCM:ECDHE-ECDSA-AES256-SHA384:\
>     !MD5:!DSS

I copy&pasted that one from the apache section, just to have a
starting point. But your points are definitely valid.

> I hope we can have a short discussion about how we will recommend cipher
> strings in our paper. As of now, we at least have two different cipher
> strings -- one with ECC and one without. Then there might be a
> recommendation based on 256 vs. 128bit and probably one on using DSA (or
> how to use DSA)...

Definitely. We probably should split defining the cipher list and
using it in the config snippets to make the doc structure more usable.


Christian Mock                          Wiedner Hauptstr. 15
Senior Security Engineer                1040 Wien
CoreTEC IT Security Solutions GmbH      +43-1-5037273
FN 214709 z

CoreTEC: Web Application Audit - Damit so etwas nicht passiert!



More information about the Ach mailing list