Closed slingamn closed 6 years ago
This should do it:
ciphers = EECDH+AESGCM:DHE+AESGCM:EECDH+AES:DHE+AES:!DSS:!aNULL!SSLv3 options = CIPHER_SERVER_PREFERENCE
There are a couple redundant exclusions: SSLv3 (stunnel disallows it by default) and DSS (irrelevant because our certificates are RSA). On Xenial, I see:
SSLv3
DSS
$ openssl ciphers -v 'EECDH+AESGCM:DHE+AESGCM:EECDH+AES:DHE+AES:!DSS:!aNULL!SSLv3' ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384 ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384 ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256 ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256 DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256 DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256
This change has the potential to lock people out, so it should be rolled out with care.
Folding this into #17.
slingamn
commented
6 years ago
This should do it:
There are a couple redundant exclusions:
SSLv3(stunnel disallows it by default) andDSS(irrelevant because our certificates are RSA). On Xenial, I see:This change has the potential to lock people out, so it should be rolled out with care.