On Nov 15, 2012, at 18:04 , "Dr. Stephen Henson" <st...@openssl.org> wrote:
> The -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH option was a quick hack to workaround > some broken servers. It may not be needed now many have been fixed and > applications where you have some control over the connection parameters > don't really need it at all. So far, we have encountered a handful of servers that are still broken, while the server referenced in my previous mail was the first one that failed with MAX_TLS1_2_CIPHER_LENGTH. > It might be that there are no supported ciphersuites in the truncated list: > try messing around with the ciphers and disable (for example) ECDH. For > example DEFAULT:!ECDH The server in question actually supports only RC4-MD5 AES128-SHA, both of which get cut off. Rearranging the Ciphers with e.g. RC4-MD5:DEFAULT fixes this. Since openssl is part of a product that we ship, would you consider moving RC4-MD5 to the front of the cipher list by default a good idea, or are there drawbacks that I overlooked, or would this even be preferred, since RC4 has been propagated as a mitigating method for the so called BEAST attack? regards, rainer______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
