> On May 28, 2018, at 5:27 PM, Michal Trojnara <Michal.Trojnara@xxxxxxxxxxx> wrote: > > - The default cipher list was updated to a safer value: > "HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK". I am rather puzzled as to why you chose to eliminate not just fixed DH, but also the ephemeral finite-field DH key exchange. What's wrong with the DHE ciphers? I would have chosen: HIGH:!aNULL:!kDH:!kECDH:!MD5 which excludes the *fixed* DH/ECDH ciphers and MD5 (and thus also SSLv2). This does not eliminate ephemeral finite-field DH, not sure why you're doing that... -- -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
