Hoi! > On 02 Mar 2016, at 14:42, Sebastian <[email protected]> wrote: > This enables the cipherstring-group SSLv3, not the protocol. > On 03/02/2016 03:33 PM, Martin wrote: >> where it is the :+SSLv3: part that to me looks like it is enabled despite the >> SSLProtocol All -SSLv2 -SSLv3 >> Can anyone tell me, if :+SSLv3: really should be there?
Since this question has been posted to this mailing list a dozen times now, I guess we should put the corresponding explanation into the ACH guide since the cipher-string-black-magic seems to confuse many people. I totally agree that this notation is counter-intuitive. Yet, Sebastian is totally right. This enables Cipher suites _defined_ in the SSLv3 spec (which are used in TLS 1.0 and above as well) but definitely does not turn on the SSLv3 protocol. As a matter of fact ACH always recommended to completely turn off SSLv2 and SSLv3 from the very beginning on. Sidenote: Cipher-Suite B works fine with HTTP/2, if you want to use Cipher-Suite-A you must change it, since you can end up with a valid TLS 1.2 negotiated cipher suite that is blacklisted by HTTP/2 afterwards. Gives all kinds of weird and really not helpful error messages in browsers. We’re working on updated suites, which is becoming more and more complex with the expanded landscape of TLS libs around. Best regards Pepi
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Ach mailing list [email protected] http://lists.cert.at/cgi-bin/mailman/listinfo/ach
