[Ach] [ssllabs-discuss] Minimal recommended cipher suite list, pref. as an interactive SSL Labs page
Aaron Zauner
azet at azet.org
Sat Jun 14 18:20:03 CEST 2014
Just out of curiosity; why do you prefer 128bit symmetric ciphers over
256bit ones? In your case both are included, the preference does not make
sense to me.
i.e.: I'd either drop AES256 or order according to symmetric cipher
security (given the same key exchange, MAC,..)
On Sat, Jun 14, 2014 at 4:35 AM, Julien Vehent <julien at linuxwall.info>
wrote:
> On 2014-06-12 07:09, Hubert Kario wrote:
>
>> While choice of RC4 is bad, they plan to remove it and reinstate 3DES:
>> https://bugzilla.mozilla.org/show_bug.cgi?id=927045 Real Time Soon™
>>
>
> We did, at least, put 3DES above RC4 in production. The CPU cost was
> minimal, so I'll update the wiki page Real Time Soon™
>
> $ ./cipherscan mozilla.org
> ........
> prio ciphersuite protocols pfs_keysize
> 1 DHE-RSA-AES128-SHA SSLv3,TLSv1,TLSv1.1 DH,1024bits
> 2 DHE-RSA-AES256-SHA SSLv3,TLSv1,TLSv1.1 DH,1024bits
> 3 EDH-RSA-DES-CBC3-SHA SSLv3,TLSv1,TLSv1.1 DH,1024bits
> 4 AES128-SHA SSLv3,TLSv1,TLSv1.1
> 5 AES256-SHA SSLv3,TLSv1,TLSv1.1
> 6 DES-CBC3-SHA SSLv3,TLSv1,TLSv1.1
> 7 RC4-SHA SSLv3,TLSv1,TLSv1.1
>
> Certificate: trusted, 2048 bit, sha256WithRSAEncryption signature
> TLS ticket lifetime hint: None
> OCSP stapling: supported
>
> We also started deprecating SSL3 and TLS1 from new sites that require
> newer browsers, and where backward compatibility is not needed.
>
> - Julien
>
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cert.at/pipermail/ach/attachments/20140614/1f25c63a/attachment.html>
More information about the Ach
mailing list