> On May 26, 2016, at 9:44 AM, Angus Robertson - Magenta Systems Ltd
> wrote:
>
> I have two custom Windows web sites, running released and beta versions
> of OpenSSL. The beta version only gets an A- score with SSL Labs,
> whereas the release version gets A+.
>
> https://www1.telecom-tariffs.co.uk/serverinfo.htm
>
> shows server status, and that it's running OpenSSL 1.1.0-pre5 (beta) 19
> Apr 2016, SSL Labs says: 'Cipher Suites (sorted by strength as the
> server has no preference;) The server does not support Forward Secrecy
> with the reference browsers. Grade reduced to A-.'
>
> https://www.telecom-tariffs.co.uk/serverinfo.htm
>
> is the main live server running OpenSSL 1.0.2h 3 May 2016, and gets a
> score A+ saying 'Cipher Suites (SSL 3+ suites in server-preferred
> order)'.
Sites like SSL Labs sometimes have bugs, and also your server configuration
may lack DHE or ECDHE parameters. In any case, OpenSSL 1.1.0 beta does support
server preference, and I don't think any recent commits either broke or fixed
this.
Testing against with Postfix compiled against HEAD I see:
# postconf -e "tls_preempt_cipherlist = no"
# postfix reload
postfix/postfix-script: refreshing the Postfix mail system
# posttls-finger -Lsummary -lencrypt -c -o "tls_medium_cipherlist =
AES128-SHA:AES256-SHA" "[localhost]:25"
posttls-finger: Untrusted TLS connection established to
localhost[127.0.0.1]:25: TLSv1.2 with cipher AES128-SHA (128/128 bits)
# postconf -e "tls_preempt_cipherlist = yes"
# postfix reload
postfix/postfix-script: refreshing the Postfix mail system
# posttls-finger -Lsummary -lencrypt -c -o "tls_medium_cipherlist =
AES128-SHA:AES256-SHA" "[localhost]:25"
posttls-finger: Untrusted TLS connection established to
localhost[127.0.0.1]:25: TLSv1.2 with cipher AES256-SHA (256/256 bits)
Which shows the server preference in effect for the second connection (AES256
used despite client's preference for AES128).
--
Viktor.
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
