noxxi
commented
8 years ago Hi,
I've updated the default ciphers in IO::Socket::SSL version 2.026 based on what current browsers do and based on the recommendations of Mozilla. This also includes support for ECDHE-RSA-AES128-GCM-SHA256 now.
Apart from that I find the very restricted configuration of www.tiremoni.com questionable: they offer only a very few (4) ciphers (why?) but among these are ciphers which combine GCM with DHE even though all clients which can do GCM can do the much better ECDHE too. On top of that they use a weak DH key. Thus I don't think that somebody actually knew what (s)he was doing when setting up this site and in this case one should expect problems with non-standard clients.
brewt
Not an expert on SSL, but I ran into a situation where I couldn't connect to a server using LWP that only had the TLS 1.2 protocol enabled:
https://www.ssllabs.com/ssltest/analyze.html?d=www.tiremoni.com
In debugging this, I found that it was failing to connect because IO::Socket::SSL's default cipher list didn't include ECDHE-RSA-AES128-GCM-SHA256 (which all major browsers seem to include).
The comment for $DEFAULT_SSL_CLIENT_ARGS{SSL_cipher_list} says that the list is from IE11, but it's perhaps out of date, since IE11 seems to support more ciphers than in that list.
For reference, here's the list I get from IE11 (might be a bit out of date since it's from a VM):