On 14.12.2013 00:00, Dr. Stephen Henson wrote:
How are you disabling RSA key exchange?
by setting all ciphers beginning with RSA to no in FF
If you disable RSA for authentication too you'll hit problems if you don't have a non-RSA certificate. So for example: ECDHE-ECDSA-3DES-EDE-SHA needs an ECDSA certificate (that's the same as ECDHE-ECDSA-DES-CBC3-SHA).
can you please give an example of such an ECDSA certificate?
You can disable RSA key exchange by appending the string !kRSA to the cipher string, for example: "DEFAULT:!kRSA". Also if you want to support EDH ciphersuites you need to set some DH parameters and for ECDH a suitable curve.
this the option in squid "against" my client:http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/cert/squid.pem cipher=DEFAULT:!kRSA options=NO_SSLv2,SINGLE_DH_USE dhparams=/etc/squid/cert/dhparam.pem
Thanks, Walter
smime.p7s
Description: S/MIME Cryptographic Signature