Hi, we have a requirement to enable tlsv1 for an edge case. When we enable that via Tomas recommendation it enables rc4 cipher.
We want to disable rc4 but keep tlsv1 and that's why the ask for the process
Thanks,
On Fri, 17 Apr 2020 at 18:04, Viktor Dukhovni <openssl-users@xxxxxxxxxxxx> wrote:
On Fri, Apr 17, 2020 at 05:17:47PM +0200, Tomas Mraz wrote:
> Or you could modify the /etc/pki/tls/openssl.cnf:
> Find the .include /etc/crypto-policies/back-ends/opensslcnf.config
> line in it and insert something like:
>
> CipherString = @SECLEVEL=1:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:!DES:!RC2:!RC4:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
How did this particular contraption become a recommended cipherlist?
What's wrong with "DEFAULT"? In OpenSSL 1.1.1 it already excludes
RC4 (if RC4 is at all enabled at compile time):
$ openssl ciphers -v 'COMPLEMENTOFDEFAULT+RC4'
ECDHE-ECDSA-RC4-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=RC4(128) Mac=SHA1
ECDHE-RSA-RC4-SHA TLSv1 Kx=ECDH Au=RSA Enc=RC4(128) Mac=SHA1
RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
I find too many people cargo-culting poorly thought cipher lists from
some random HOWTO. Over optimising your cipherlist is subject to
rapid bitrot, resist the temptation...
--
Viktor.
Sent from Gmail Mobile
