Hi, Last two days, i have do some tests with polarssl 1.3.10 (and the 1.4.0 branch SID) based on the work of Perry Kundert (PR 14) and the extented list of ciphers based on my PR 15. All compile and works fine. It's allow to use more ciphers (from TLS 1.2, 1.1, 1.0) and disable SSLv3 due POODLE attack. It's give very good results on ssllabs. The only browser which fail at the first negociation is IE6 under WinXP, not a more issue for me.
All weak or broken ciphers are listed but commented in the code, if someone really need it we can create a compilation define to enable it. Can someone with write access to the repo can integrate thoses pull-requests, and release ? Cheers, William On Thu, Mar 12, 2015 at 3:37 PM, Florian Anderiasch <[email protected]> wrote: > On 03/12/2015 01:08 PM, William MARTIN wrote: > > > Why the major part of ciphers (enabled in polar_ssl.h) are not listed in > > server.c ? Due that we can't use thoses ciphers. Most of ciphers listed > > on the following link are compiled but we can't use it. Can i do a pull > > request to add thoses missing ciphers in the list ? > > https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility > > To quote from your linked page: > > For services that don't need backward compatibility, the parameters > below provide a higher level of security. This configuration is > compatible with Firefox 27, Chrome 22, IE 11, Opera 14 and Safari 7. > > Chrome 22 was released 2012-09-25. Now look at the majority of commits ;) > > But apart from guessing I can't answer your other questions, I don't see > a reason why a modernization of ssl cipher support could be bad. > > Greetings. > Florian > -- --------------------------------------------------------- William MARTIN wysman @NoSpAm@ gmail @DoT@ com
