Jeff Darcy <jdarcy@xxxxxxxxxx> wrote: > We already exclude CBC, because of the POODLE attack, and that leaves us > with 32 ciphers. Excluding DH as well leaves us with only four. > > AES256-GCM-SHA384 > AES256-SHA256 > AES128-GCM-SHA256 > AES128-SHA256 Why are ECDH ciphers missing? That list has no cipher featuring PFS, that looks really bad. My understanding of POODLE is that CBC ciphers are fine, you just need to reject the SSLv3 protocol. > This doesn't seem particularly hard, or at least it wouldn't be if we > didn't have to account for every RHEL version and associated OpenSSL > version going back ten years. The function calls I proposed are used in Apache and Sendmail without any OpenSSLversion ifdef. -- Emmanuel Dreyfus http://hcpnet.free.fr/pubz manu@xxxxxxxxxx _______________________________________________ Gluster-devel mailing list Gluster-devel@xxxxxxxxxxx http://www.gluster.org/mailman/listinfo/gluster-devel
