On 26/01/17 00:16, Andrew Gallagher wrote: > > gnupg.org *does* keep 3DES at the end of the supported suites, so surely > it should not be affected. I'm tempted to write this off as a > mistake by ssllabs.
I've spoken to ssllabs and it appears that this was an ambiguity in the wording of their blog post. That means the downgrade to C next month is legit - not because 3DES is present, but because 3DES is present *and* GCM is absent. What both this and Glenn's Apple issue have in common is the lack of ECDHE+GCM suites in the cipher list. I generally use the following config in Apache: SSLCipherSuite \ "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 \ EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 \ EECDH EDH+AESGCM EDH+aRSA +3DES 3DES \ !aNULL !eNULL !LOW !EXP !MD5 !KRB5 !PSK !SRP !DSS !SEED !RC4" This uses all HIGH suites in a sensible order but still falls back to 3DES for XP compatibility. When retiring 3DES this simplifies to: SSLCipherSuite \ "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 \ EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 \ EECDH EDH+AESGCM EDH+aRSA !MEDIUM !LOW !aNULL !eNULL !PSK" Andrew.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
