[Ach] [ssllabs-discuss] Minimal recommended cipher suite list, pref. as an interactive SSL Labs page

Julien Vehent julien at linuxwall.info
Sat Jun 14 04:35:16 CEST 2014

On 2014-06-12 07:09, Hubert Kario wrote:
> While choice of RC4 is bad, they plan to remove it and reinstate 3DES:
> https://bugzilla.mozilla.org/show_bug.cgi?id=927045 Real Time Soon™

We did, at least, put 3DES above RC4 in production. The CPU cost was 
minimal, so I'll update the wiki page Real Time Soon™

     $ ./cipherscan mozilla.org
     prio  ciphersuite           protocols            pfs_keysize
     1     DHE-RSA-AES128-SHA    SSLv3,TLSv1,TLSv1.1  DH,1024bits
     2     DHE-RSA-AES256-SHA    SSLv3,TLSv1,TLSv1.1  DH,1024bits
     3     EDH-RSA-DES-CBC3-SHA  SSLv3,TLSv1,TLSv1.1  DH,1024bits
     4     AES128-SHA            SSLv3,TLSv1,TLSv1.1
     5     AES256-SHA            SSLv3,TLSv1,TLSv1.1
     6     DES-CBC3-SHA          SSLv3,TLSv1,TLSv1.1
     7     RC4-SHA               SSLv3,TLSv1,TLSv1.1

     Certificate: trusted, 2048 bit, sha256WithRSAEncryption signature
     TLS ticket lifetime hint: None
     OCSP stapling: supported

We also started deprecating SSL3 and TLS1 from new sites that require 
newer browsers, and where backward compatibility is not needed.

- Julien

More information about the Ach mailing list