Disable SSLv3 and RC4

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Sep 13, 2016 at 4:45 PM, Nux! <nux at li.nux.ro> wrote:
> Nikos,
>
> That was spot on! That config line gives me A- on Qualy's ssllabs.
> I get the "-" because the server does not support "Forward Secrecy"
>
> Using the following line should solve fwd secrecy and give me A+ at the theoretical cost of breaking old clients, as per the manual.
>
> tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128"
>
> In reality using that line makes the server unreachable by Qualys, Firefox or Cisco Anyconnect.
> "ocserv[18873]: GnuTLS error (at worker-vpn.c:585): Could not negotiate a supported cipher suite."

This should have allowed the ECDHE ciphersuites which have forward
secrecy. Do you happen to have an certificate which is marked for
encryption-only? Your certificate must allow digital signatures for
forward secrecy ciphersuites to work.

regards,
Nikos



[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]


  Powered by Linux