Viktor Dukhovni wrote, on 15.10.2013 17:05:
> This cipher list is clearly the result of an incomplete understanding
> of the OpenSSL cipherlist syntax. And yet you're not a novice
> user. Hence my contention that the OpenSSL cipher syntax is for
> OpenSSL experts only, applications should not expose it directly
> to users.
Thanks for your detailed explanation! I already recognized the NULL ciphers I
indeed didn't want to include. I searched for the correct pedant of kEDH for
EC, but didn't find anything useful.
Even
http://www.openssl.org/docs/apps/ciphers.html
does not list "kEECDH"! I think I tried kECDH, kECDHE without success. Then I
found ECDH adding the ciphers I wanted and some others I didn't care about
(enough;-) ).
So, my cipherlist is a result of incomplete documentation as well ...
resulting in incomplete understanding.
> [ Postfix has cipher grades (null, export, low, medium, high), users
> choose one of these, and leave the underlying cipherlists alone! ]
Sure. I wont touch cipher strings if the defaults are reasonable. But the
results of sites like ssllabs.com testing my webservers suggest the opposite.
And eg. apache mod_ssl also documents the cipher details.
But thanks a lot for your warnings and explanations!
Greetings, Wolfgang
--
Wolfgang Breyha <wbreyha@???> |
http://www.blafasel.at/
Vienna University Computer Center | Austria