Re: TLSv1 on CentOS-8

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, Apr 17, 2020 at 05:17:47PM +0200, Tomas Mraz wrote:

> Or you could modify the /etc/pki/tls/openssl.cnf:
> Find the .include /etc/crypto-policies/back-ends/opensslcnf.config
> line in it and insert something like:
> 
> CipherString = @SECLEVEL=1:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:!DES:!RC2:!RC4:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8

How did this particular contraption become a recommended cipherlist?
What's wrong with "DEFAULT"?  In OpenSSL 1.1.1 it already excludes
RC4 (if RC4 is at all enabled at compile time):

    $ openssl ciphers -v 'COMPLEMENTOFDEFAULT+RC4'
    ECDHE-ECDSA-RC4-SHA     TLSv1 Kx=ECDH     Au=ECDSA Enc=RC4(128) Mac=SHA1
    ECDHE-RSA-RC4-SHA       TLSv1 Kx=ECDH     Au=RSA  Enc=RC4(128)  Mac=SHA1
    RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1

I find too many people cargo-culting poorly thought cipher lists from
some random HOWTO.  Over optimising your cipherlist is subject to
rapid bitrot, resist the temptation...

-- 
    Viktor.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux