TLSv1 on CentOS-8
Viktor Dukhovni
openssl-users at dukhovni.org
Fri Apr 17 17:03:18 UTC 2020
On Fri, Apr 17, 2020 at 05:17:47PM +0200, Tomas Mraz wrote:
> Or you could modify the /etc/pki/tls/openssl.cnf:
> Find the .include /etc/crypto-policies/back-ends/opensslcnf.config
> line in it and insert something like:
>
> CipherString = @SECLEVEL=1:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:!DES:!RC2:!RC4:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
How did this particular contraption become a recommended cipherlist?
What's wrong with "DEFAULT"? In OpenSSL 1.1.1 it already excludes
RC4 (if RC4 is at all enabled at compile time):
$ openssl ciphers -v 'COMPLEMENTOFDEFAULT+RC4'
ECDHE-ECDSA-RC4-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=RC4(128) Mac=SHA1
ECDHE-RSA-RC4-SHA TLSv1 Kx=ECDH Au=RSA Enc=RC4(128) Mac=SHA1
RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
I find too many people cargo-culting poorly thought cipher lists from
some random HOWTO. Over optimising your cipherlist is subject to
rapid bitrot, resist the temptation...
--
Viktor.
More information about the openssl-users
mailing list