> On Apr 13, 2017, at 1:49 PM, Zbyszek Żółkiewski <t...@onefellow.com> wrote: > > Thanks for the insights, > > Please note that "aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH” > is a default postfix configuration
Yes, I set that default... > - and i do not change it - just by adding ECDSA at the beginning, i am > changing order of ciphers. That's a change. > And you stated that "OpenSSL prefers ECDSA to RSA by default.” It is true, when all the other factors that go into cipher selection are equal. Strong key exchange, ... takes precedence over the public key (authentication) algorithm preference. With OpenSSL 1.1.0, the top few ciphers are: ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(256) Mac=AEAD DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-ECDSA-AES256-CCM8 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESCCM8(256) Mac=AEAD ECDHE-ECDSA-AES256-CCM TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESCCM(256) Mac=AEAD DHE-RSA-AES256-CCM8 TLSv1.2 Kx=DH Au=RSA Enc=AESCCM8(256) Mac=AEAD Note that ECDSA ciphers precede the *otherwise equivalent* RSA ciphers. > openssl ciphers > ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:…….. Yes, RSA was preferred in OpenSSL <= 1.0.2. > that is openssl 1.0.1 (debian 8), openssl in fact mix ECDHE-RSA and > ECDHE-ECDSA (i guess order is because that suite is similar in strength, > maybe) Your main security risk is weak key agreement, not weak authentication. It is unlikely that your CPU overtaxed doing RSA handshakes. It is simplest to let the RSA preference of OpenSSL 1.0.x stand. Getting the cipher order right with ECDSA preferred over RSA for otherwise equivalent and *sensibly ordered* parameters requires more care than is worth the effort. The supported ciphers change with time, and the entire cipher selection process changes completely with TLS 1.3. Just let the defaults stand. Yes, your ECDSA certificate will rarely be used (actually with "tls_preempt_cipherlist = no", some OpenSSL >= 1.1.0 clients will prefer ECDSA, if they don't prefer aNULL instead). -- Viktor.