TLSv1 on CentOS-8
Junaid Mukhtar
junaid.mukhtar at gmail.com
Fri Apr 17 17:06:56 UTC 2020
Hi, we have a requirement to enable tlsv1 for an edge case. When we enable
that via Tomas recommendation it enables rc4 cipher.
We want to disable rc4 but keep tlsv1 and that's why the ask for the
process
Thanks,
On Fri, 17 Apr 2020 at 18:04, Viktor Dukhovni <openssl-users at dukhovni.org>
wrote:
> On Fri, Apr 17, 2020 at 05:17:47PM +0200, Tomas Mraz wrote:
>
> > Or you could modify the /etc/pki/tls/openssl.cnf:
> > Find the .include /etc/crypto-policies/back-ends/opensslcnf.config
> > line in it and insert something like:
> >
> > CipherString =
> @SECLEVEL=1:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:!DES:!RC2:!RC4:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
>
> How did this particular contraption become a recommended cipherlist?
> What's wrong with "DEFAULT"? In OpenSSL 1.1.1 it already excludes
> RC4 (if RC4 is at all enabled at compile time):
>
> $ openssl ciphers -v 'COMPLEMENTOFDEFAULT+RC4'
> ECDHE-ECDSA-RC4-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=RC4(128)
> Mac=SHA1
> ECDHE-RSA-RC4-SHA TLSv1 Kx=ECDH Au=RSA Enc=RC4(128)
> Mac=SHA1
> RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128)
> Mac=SHA1
>
> I find too many people cargo-culting poorly thought cipher lists from
> some random HOWTO. Over optimising your cipherlist is subject to
> rapid bitrot, resist the temptation...
>
> --
> Viktor.
>
--
Sent from Gmail Mobile
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20200417/7a82ccf0/attachment.html>
More information about the openssl-users
mailing list