> On Feb 11, 2017, at 8:14 AM, The Doctor <doctor@???> wrote:
>
> tls_require_ciphers expands to "ALL : SSLv2 : !LOW : !aNULL : !eNULL : !3DES : @STRENGTH"
Did you mean to exclude SSLv2 and forget the "!"?
You might consider something saner these days:
DEFAULT:!SSLv2:!EXPORT:!LOW:!kECDH:!kDH:!3DES:!MD5:!SEED:!IDEA:@STRENGTH
In sufficiently recent versions of OpenSSL, some of the above exclusions
are already part of "DEFAULT" (which is "ALL:!aNULL", and, by the way,
"ALL" already excludes "eNULL" which is what "COMPLEMENTOFALL" consists of).
--
Viktor.
