Hi! > OK. > So push back the older TLSv1 ciphers too by adding "+TLSv1" on the right > position: Hehe... fun, isn't it?! ;-) > $ openssl ciphers -v > '-ALL:ECDH+aRSA+AES:DH+aRSA+AES:aRSA+kRSA+AES:+AES256:+TLSv1:+kRSA' | You could also try: 'kEDH+aRSA+AES:kEECDH+aRSA+AES:+AES256:+SSLv3:AES256-SHA' or -- as you desire EC stuff first: 'kEECDH+aRSA+AES:kEDH+aRSA+AES:+AES256:+SSLv3:AES256-SHA' leading to: ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 ECDHE-RSA-AES128-SHA DHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA DHE-RSA-AES256-SHA AES256-SHA
or on pretty old openssl 0.9.8: ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA ECDH-RSA-AES256-SHA ECDH-RSA-AES128-SHA DHE-RSA-AES256-SHA AES256-SHA DHE-RSA-AES128-SHA AES128-SHA If you explicitly select included ciphers, '-ALL' isn't required. If you just want to use AES256-SHA as a fallback, list it explicitly at the end. I am not sure if '+TLSv1' works everywhere but using '+SSLv3' does no harm: protocol support as well as curve selection and the like cannot be done in the cipher string in openssl (in contrary to gnutls for example). -- Adi
signature.asc
Description: Digital signature
_______________________________________________ Ach mailing list [email protected] http://lists.cert.at/cgi-bin/mailman/listinfo/ach
