On Mon, Oct 07, 2013 at 05:25:19PM +0000, Viktor Dukhovni wrote:
> This is a mistake. You probably meant:
>
> kEDH+HIGH:!eNULL:!aNULL:!MD5:@STRENGTH
>
> which is the properly sorted intersection of kEDH and HIGH, instead
> you're getting the union of kEDH and HIGH without sensible sorting,
> which include for example:
Comment, of course with "kEDH+HIGH" as the only inclusion component
of the cipherlist, there is strictly speaking no need for the
"!eNULL" part. This said, it is a cheap safety feature. For
example, with "kEECDH:HIGH" the !eNULL constraint is actually
needed. And when using multiple inclusion components, don't forget
"@STRENGTH" which, in addition to sorting the verious strength
ciphers properly, would have the effect of putting the NULL ciphers
last.
--
Viktor.
