[Ach] Cipher-Order: AES128/AES256 - was: Secure E-Mail Transport based on DNSSec/TLSA/DANE

Adi Kriegisch adi at kriegisch.at
Sun Nov 8 14:09:55 CET 2015


Hi!

> OK. 
> So push back the older TLSv1 ciphers too by adding "+TLSv1" on the right
> position:
Hehe... fun, isn't it?! ;-)
 
> $ openssl ciphers -v
> '-ALL:ECDH+aRSA+AES:DH+aRSA+AES:aRSA+kRSA+AES:+AES256:+TLSv1:+kRSA' |
You could also try:
'kEDH+aRSA+AES:kEECDH+aRSA+AES:+AES256:+SSLv3:AES256-SHA'
or -- as you desire EC stuff first:
'kEECDH+aRSA+AES:kEDH+aRSA+AES:+AES256:+SSLv3:AES256-SHA'
leading to:
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-SHA256
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-SHA384
DHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES256-SHA256
ECDHE-RSA-AES128-SHA
DHE-RSA-AES128-SHA
ECDHE-RSA-AES256-SHA
DHE-RSA-AES256-SHA
AES256-SHA

or on pretty old openssl 0.9.8:
ECDHE-RSA-AES256-SHA
ECDHE-RSA-AES128-SHA
ECDH-RSA-AES256-SHA
ECDH-RSA-AES128-SHA
DHE-RSA-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
AES128-SHA

If you explicitly select included ciphers, '-ALL' isn't required. If you
just want to use AES256-SHA as a fallback, list it explicitly at the end. I
am not sure if '+TLSv1' works everywhere but using '+SSLv3' does no harm:
protocol support as well as curve selection and the like cannot be done in
the cipher string in openssl (in contrary to gnutls for example).

-- Adi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 827 bytes
Desc: Digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20151108/cb4104d7/attachment.sig>


More information about the Ach mailing list