<div dir="ltr">Just out of curiosity; why do you prefer 128bit symmetric ciphers over 256bit ones? In your case both are included, the preference does not make sense to me.<div>i.e.: I'd either drop AES256 or order according to symmetric cipher security (given the same key exchange, MAC,..)<br>
</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Sat, Jun 14, 2014 at 4:35 AM, Julien Vehent <span dir="ltr"><<a href="mailto:julien@linuxwall.info" target="_blank">julien@linuxwall.info</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="">On 2014-06-12 07:09, Hubert Kario wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
While choice of RC4 is bad, they plan to remove it and reinstate 3DES:<br>
<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=927045" target="_blank">https://bugzilla.mozilla.org/<u></u>show_bug.cgi?id=927045</a> Real Time Soon™<br>
</blockquote>
<br></div>
We did, at least, put 3DES above RC4 in production. The CPU cost was minimal, so I'll update the wiki page Real Time Soon™<br>
<br>
$ ./cipherscan <a href="http://mozilla.org" target="_blank">mozilla.org</a><br>
........<br>
prio ciphersuite protocols pfs_keysize<br>
1 DHE-RSA-AES128-SHA SSLv3,TLSv1,TLSv1.1 DH,1024bits<br>
2 DHE-RSA-AES256-SHA SSLv3,TLSv1,TLSv1.1 DH,1024bits<br>
3 EDH-RSA-DES-CBC3-SHA SSLv3,TLSv1,TLSv1.1 DH,1024bits<br>
4 AES128-SHA SSLv3,TLSv1,TLSv1.1<br>
5 AES256-SHA SSLv3,TLSv1,TLSv1.1<br>
6 DES-CBC3-SHA SSLv3,TLSv1,TLSv1.1<br>
7 RC4-SHA SSLv3,TLSv1,TLSv1.1<br>
<br>
Certificate: trusted, 2048 bit, sha256WithRSAEncryption signature<br>
TLS ticket lifetime hint: None<br>
OCSP stapling: supported<br>
<br>
We also started deprecating SSL3 and TLS1 from new sites that require newer browsers, and where backward compatibility is not needed.<span class="HOEnZb"><font color="#888888"><br>
<br>
- Julien</font></span><div class="HOEnZb"><div class="h5"><br>
______________________________<u></u>_________________<br>
Ach mailing list<br>
<a href="mailto:Ach@lists.cert.at" target="_blank">Ach@lists.cert.at</a><br>
<a href="http://lists.cert.at/cgi-bin/mailman/listinfo/ach" target="_blank">http://lists.cert.at/cgi-bin/<u></u>mailman/listinfo/ach</a><br>
</div></div></blockquote></div><br></div>