Recommended Ciphersuite
Adam Osuchowski
adwol at zonk.pl
Wed Apr 23 22:33:07 CEST 2014
Jan Rękorajski wrote:
> Our current ciphers list is:
>
> ALL:!ADH:!EXP:!LOW:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
>
> instead of putting there random list of ciphers we can achieve the same
> effect just by disabling the weak ones, like this:
>
> ALL:!ADH:!EXPORT!LOW:!SSLv2:!DES:!3DES:!aNULL:!eNULL:!MD5:!PSK:!SEED:+HIGH:+MEDIUM
>
> Looks better IMO.
Maybe looks better but that Mozilla ciphersuites list fixes specific order
of prioritization. Better ciphers (in their opinion) are scored higher
(e.g. AES128 is preferred to AES256), whereas your general ciphers
specification string fixes only set of ciphers and leaves detailed
ordering decision to SSL/TLS software (mainly openssl library).
Try to diff outputs of `openssl ciphers -v' for Mozilla developed string
and this general one. Order will be definitely different. So, they are
not identical, what does not mean that any of them is better at all.
More information about the pld-devel-en
mailing list