[Ach] Minuscule addition to our epic Cipher String usage
Pepi Zawodsky
pepi.zawodsky at maclemon.at
Sun Nov 17 17:05:48 CET 2013
I found one more way to “improve” the _usage_ of our distilled Cipher String.
To support Internet Explorer we need ECC.
Wth nginx 1.4 you can specify which curve to use and all IE releases do support
ECC curves secp256r1 and secp384r1. Interestingly IE7 on Vista also supports secp521r1 but IE8-11 on Windows 7 do not.
So I specified to use secp384r1 in nginx so we always use the a-little-less-crappy curve which is supported.
ssl_ecdh_curve secp384r1;
Annoyingly enough one cannot specify an order of curves but only a single one.
This still gives us a score of
Certificate 100
Protocol Support 95
Key Exchange 100
Cipher Strength 100
Android does support that from 3.0 upwards.
Interesting observation is that starting with Andoird 4.4 KitKat support for curves has dropped to the three lowly NIST curves. (secp256r1, secp384r1, secp521r1)
This leaves secp384r1 as the least common denominator.
Best regards
Pepi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20131117/94ffb889/attachment.sig>
More information about the Ach
mailing list