❦ 21 février 2015 13:29 +0100, Kurt Roeckx <k...@roeckx.be> : >> > The defaults are good enough, as long as you don't really care >> > about PFS because IE doesn't have those at the top of it's list. >> > If you just change it to prefer the default server ordering you >> > should already have a decent list, but it prefers AES256 over >> > AES128 while there is no need for that. >> >> PFS, performances and A+ note on Qualys SSL test. This may be a bit less >> true today since most browsers are now supporting ECDHE ciphers but it >> still holds, I think. > > Do you know what the minimum changes requirements are to get an > A(+)? > I'm guessing it requires at least this in wheezy: > - SSLProtocol all -SSLv3 > - SSLHonorCipherOrder off > > It might require you to disable RC4, but if that's the case we > should probably talk to Qualsys about it.
Yes, grade capped to B if accepting RC4. I see two possibilities for this choice: either downgrade attacks (when not circumvented), either it is considered preferable to use AES or even 3DES (BEAST attack being prevented on server-side). Relying on default ciper suite would also mean that it is updated during the life-cycle of the distribution. This could be good or bad (breaking existing setups). -- A man was reading The Canterbury Tales one Saturday morning, when his wife asked "What have you got there?" Replied he, "Just my cup and Chaucer."
signature.asc
Description: PGP signature