[Ach] SSL for limited user groups
Robert M. Albrecht
lists at romal.org
Thu Jan 1 17:44:32 CET 2015
exactly my point, easy to make errors for non-crypto-experts:
SSLCipherSuite "EECDH+AESGCM EDH+AESGCM EECDH -RC4 EDH -CAMELLIA !AES128
-SEED !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
is more reasonable ?
Most tools seems to work, will test Gnome 3 tomorrow.
Am 01.01.15 um 14:11 schrieb Hanno Böck:
> On Thu, 01 Jan 2015 13:26:15 +0100
> "Robert M. Albrecht" <lists at romal.org> wrote:
>> SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
> This doesn't look like a very reasonable config for your setting.
> If you have a closed user group and can rely on only high security
> settings you likely want to limit your config to ciphers with forward
> secrecy and AES-GCM. (and if you're running libressl or some openssl
> preview/beta you can add chacha20)
> It's pretty much consensus that everything using CBC should be
> considered dangerous and we should strive for deprecating it. That
> means all Camellia ciphers and all non-gcm-aes-modes.
> Ach mailing list
> Ach at lists.cert.at
More information about the Ach