[Ach] [ssllabs-discuss] Minimal recommended cipher suite list, pref. as an interactive SSL Labs page

Aaron Zauner azet at azet.org
Thu Jun 12 15:49:13 CEST 2014


Hi,

Hubert Kario wrote:
> 
> Oh, sure, it's not easy. But if we have a large list that is a superset
> of all the generally supported cipher suites (which openssl should be),
> then removing cipher suites shouldn't have too severe impact on the
> security, as long as the library itself supports at least one secure
> cipher suite.
Well it did remove DHE-AES* and only left AES* in there as a
ciphersuite. So that was really an issue, we've now added :kEDH at the
end which seems to circumvent this in the 0.9.8 tree:
https://git.bettercrypto.org/ach-master.git/commitdiff/facb0bb40dcf44631ef963be97c2dcce18521f4f
+
> The admin just must not perform the cargo cult thing and actually check
> if the resulting cipher suite set is sane for the version of crypto
> library he or she uses.
Which is actually a big problem, because admins do not recheck such
things regularily. Especially if it's not the main business case of
their employer.

> Well, if you're testing just server side, then
> https://github.com/jvehent/cipherscan
> should be enough. It requires just bash (you can use statically
> compiled openssl, either the included one or one you compiled yourself).
Sure I know that. But ideally you want to check client and server, this
is what my scripts currently compare. But only for OpenSSL.

Aaron

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20140612/5f3c1a01/attachment.sig>


More information about the Ach mailing list