[Ach] [ssllabs-discuss] Minimal recommended cipher suite list, pref. as an interactive SSL Labs page
Julien Vehent
julien at linuxwall.info
Sat Jun 14 04:35:16 CEST 2014
On 2014-06-12 07:09, Hubert Kario wrote:
> While choice of RC4 is bad, they plan to remove it and reinstate 3DES:
> https://bugzilla.mozilla.org/show_bug.cgi?id=927045 Real Time Soon™
We did, at least, put 3DES above RC4 in production. The CPU cost was
minimal, so I'll update the wiki page Real Time Soon™
$ ./cipherscan mozilla.org
........
prio ciphersuite protocols pfs_keysize
1 DHE-RSA-AES128-SHA SSLv3,TLSv1,TLSv1.1 DH,1024bits
2 DHE-RSA-AES256-SHA SSLv3,TLSv1,TLSv1.1 DH,1024bits
3 EDH-RSA-DES-CBC3-SHA SSLv3,TLSv1,TLSv1.1 DH,1024bits
4 AES128-SHA SSLv3,TLSv1,TLSv1.1
5 AES256-SHA SSLv3,TLSv1,TLSv1.1
6 DES-CBC3-SHA SSLv3,TLSv1,TLSv1.1
7 RC4-SHA SSLv3,TLSv1,TLSv1.1
Certificate: trusted, 2048 bit, sha256WithRSAEncryption signature
TLS ticket lifetime hint: None
OCSP stapling: supported
We also started deprecating SSL3 and TLS1 from new sites that require
newer browsers, and where backward compatibility is not needed.
- Julien
More information about the Ach
mailing list