Am 17.04.16 um 18:22 schrieb Steffan Karger: > In the past years, the internet has been moving forward wrt deprecating > older and less secure ciphers. Let's follow this example in OpenVPN and > further restrict the default list of negotiable TLS ciphers. > > Compared to earlier, this disables the following: > * Ciphers in the LOW and MEDIUM security cipher list of OpenSSL > The LOW suite will be completely removed from OpenSSL in 1.1.0, > the MEDIUM suite contains ciphers like RC4 and SEED. > * Ciphers that do not provide forward secrecy (static DH/ECDH keys) > * DSA private keys (rarely used, and usually restricted to 1024 bits)
ACK from me. The code looks good and the change makes sense to me. Arne
