Re: SSL/TLS encryption algorithms
> > $ openssl ciphers -v DHE-RSA-CAMELLIA256-SHA > > DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(256) > > Mac=SHA1 > > > > $ openssl ciphers -v AES128-SHA256 > > AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) > > Mac=SHA256 > > > >Does your application need to perform faster, offer forward-secrecy, be > >most interoperable, ... ? > > these was the result of using 2 different browsers with the same SSL > website ... > (1) an old firefox > (2) the latest IE - IE11 on Win 8.1 > > https://ssl.mathemainzel.info/info/ > you can try your browser ... > > how would I define forward-secrecy on Apache webserver? If the server negotiated both ciphers, it already supports forward-secrecy (aka PFS) if the client does too. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL/TLS encryption algorithms
Hello, On 01.11.2013 22:34, Viktor Dukhovni wrote: On Fri, Nov 01, 2013 at 09:56:10PM +0100, Walter H. wrote: Which one of the following two is better (1) or (2)? (1) SSL_CIPHER=DHE-RSA-CAMELLIA256-SHA $ openssl ciphers -v DHE-RSA-CAMELLIA256-SHA DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1 (2) SSL_CIPHER=AES128-SHA256 $ openssl ciphers -v AES128-SHA256 AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256 They're both fine. Does your application need to perform faster, offer forward-secrecy, be most interoperable, ... ? these was the result of using 2 different browsers with the same SSL website ... (1) an old firefox (2) the latest IE - IE11 on Win 8.1 https://ssl.mathemainzel.info/info/ you can try your browser ... how would I define forward-secrecy on Apache webserver? Thanks, Walter __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL/TLS encryption algorithms
On Fri, Nov 01, 2013 at 09:56:10PM +0100, Walter H. wrote: > Which one of the following two is better (1) or (2)? > > (1) > > SSL_CIPHER=DHE-RSA-CAMELLIA256-SHA $ openssl ciphers -v DHE-RSA-CAMELLIA256-SHA DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1 > (2) > > SSL_CIPHER=AES128-SHA256 $ openssl ciphers -v AES128-SHA256 AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256 They're both fine. Your question has no answer, except that neither is known to be weak enough that you should avoid it. The latter requires OpenSSL 1.0.1 which (IIRC) introduces support for TLSv1.2. - These are available at different minimum protocol versions. - These use different bulk crypt algorithms - At different key lengths - With different key exchange algorithms. Does your application need to perform faster, offer forward-secrecy, be most interoperable, ... ? -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
SSL/TLS encryption algorithms
Hello, Which one of the following two is better (1) or (2)? (1) SSL_CIPHER=DHE-RSA-CAMELLIA256-SHA SSL_CIPHER_ALGKEYSIZE=256 SSL_CIPHER_EXPORT=false SSL_CIPHER_USEKEYSIZE=256 SSL_COMPRESS_METHOD=NULL SSL_PROTOCOL=TLSv1 SSL_SECURE_RENEG=true (2) SSL_CIPHER=AES128-SHA256 SSL_CIPHER_ALGKEYSIZE=128 SSL_CIPHER_EXPORT=false SSL_CIPHER_USEKEYSIZE=128 SSL_COMPRESS_METHOD=NULL SSL_PROTOCOL=TLSv1.2 SSL_SECURE_RENEG=true Thanks, Walter __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org