That link shows whatever anyone's browser is configured to handle when
clicking
the link.
The important thing is which browsers you need to support, like the ones on
https://www.ssllabs.com/ssltest/clients.html
Beware that the list I just linked is woefully incomplete for those of
us who
actively target "any browser" support, especially when including old stuff
like Windows Mobile 5 and Windows XP.
On 21/04/2020 17:06, Junaid Mukhtar wrote:
Hi Tomas/Team
I have managed to block the RC4 and enable tlsv1 as per our requirements.
We have a requirement to match cipher list on the internal server to
match the native browser cipher list as shown by the
https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html
I have tried setting up different combinations on the CipherString but
none helped. Do you have any suggestions as to how to do achieve this?
On Fri, Apr 17, 2020 at 6:22 PM Tomas Mraz <tmraz@xxxxxxxxxx
<mailto:tmraz@xxxxxxxxxx>> wrote:
On Fri, 2020-04-17 at 13:03 -0400, Viktor Dukhovni wrote:
> On Fri, Apr 17, 2020 at 05:17:47PM +0200, Tomas Mraz wrote:
>
> > Or you could modify the /etc/pki/tls/openssl.cnf:
> > Find the .include /etc/crypto-policies/back-ends/opensslcnf.config
> > line in it and insert something like:
> >
> > CipherString =
> >
@SECLEVEL=1:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:!DES:!RC2:!RC4:
> > !IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
>
> How did this particular contraption become a recommended cipherlist?
To explain - this is basically autogenerated value from the crypto
policy definiton of the LEGACY crypto policy with just added the
!RC4.
> What's wrong with "DEFAULT"? In OpenSSL 1.1.1 it already excludes
> RC4 (if RC4 is at all enabled at compile time):
Nothing wrong with DEFAULT. For manual configuration. This is however
something that is autogenerated.
> $ openssl ciphers -v 'COMPLEMENTOFDEFAULT+RC4'
> ECDHE-ECDSA-RC4-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=RC4(128)
> Mac=SHA1
> ECDHE-RSA-RC4-SHA TLSv1
> Kx=ECDH Au=RSA Enc=RC4(128) Mac=SHA1
> RC4-SHA SSLv3
> Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
>
> I find too many people cargo-culting poorly thought cipher lists
from
> some random HOWTO. Over optimising your cipherlist is subject to
> rapid bitrot, resist the temptation...
Yeah, I should have probably suggested just: CipherString = DEFAULT
There is not much point in being as close to the autogenerated policy
as possible for this particular user's use-case.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2860 Soborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
