Hi Dirk, > Maybe the ciphers could be a little bit re-arranged. > What I did find is the following. Maybe it is an option? > HIGH:!LOW:!SEED:!DSS:!SSLv2:!aNULL:!eNULL:!NULL:!EXPORT:!ADH:!IDEA:!ECDSA:!3DES:!DES:!MD5:!PSK:!RC4:@STRENGTH
I just had a chance to test this out and the results are indeed interesting. When I used the above line and tested the results with the online-test of SSL-labs, the general rating of the SSL-implementation remained the same: A solid "A" for the implementation. Both before and after the change. The "handshake simulation" that represents which browsers on what OS would use which protocol and cipher however? That's where it started to shine. Almost every Windows or Linux browser ended up with one of these two: - TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (IE11 Win Phone) - TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Rest) The old (current) implementation gave us: - TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (IE11 Win Phone) - TLS 1.2 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (Rest) In addition your suggestion gives us 4 extra TLSv1.2 ciphers with just 128bit beyond those that we already supported as fallback. The good thing across the board with your suggestion? Almost everywhere we do get ECDH secp256r1 for everything that supports elliptic curves (including most Apple products) and for those who don't we fall back to DH4096 bit, which we preferred before. Using elliptic curves is a two edged sword and in the absence of a definite wisdom on if secp256r1 has been specifically weakened by the NSA during the design phase the arguments for or against it are philosophical. What is clear is that secp256r1 is faster and causes less load than the DH4096 bit that we currently use predominantly. Bottom line: I think we should go for it. I'll add the new CipherSuite to the update of base-ssl that I'm currently working on. Many thanks for the suggestion! -- With best regards Michael Stauber _______________________________________________ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx