TLSv1 on CentOS-8

Jakob Bohm jb-openssl at wisemo.com
Tue Apr 21 19:29:58 UTC 2020


That link shows whatever anyone's browser is configured to handle when 
clicking
the link.

The important thing is which browsers you need to support, like the ones on
https://www.ssllabs.com/ssltest/clients.html

Beware that the list I just linked is woefully incomplete for those of 
us who
actively target "any browser" support, especially when including old stuff
like Windows Mobile 5 and Windows XP.

On 21/04/2020 17:06, Junaid Mukhtar wrote:
> Hi Tomas/Team
>
> I have managed to block the RC4 and enable tlsv1 as per our requirements.
>
> We have a requirement to match cipher list on the internal server to 
> match the native browser cipher list as shown by the 
> https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html
>
> I have tried setting up different combinations on the CipherString but 
> none helped. Do you have any suggestions as to how to do achieve this?
>
>
> On Fri, Apr 17, 2020 at 6:22 PM Tomas Mraz <tmraz at redhat.com 
> <mailto:tmraz at redhat.com>> wrote:
>
>     On Fri, 2020-04-17 at 13:03 -0400, Viktor Dukhovni wrote:
>     > On Fri, Apr 17, 2020 at 05:17:47PM +0200, Tomas Mraz wrote:
>     >
>     > > Or you could modify the /etc/pki/tls/openssl.cnf:
>     > > Find the .include /etc/crypto-policies/back-ends/opensslcnf.config
>     > > line in it and insert something like:
>     > >
>     > > CipherString =
>     > >
>     @SECLEVEL=1:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:!DES:!RC2:!RC4:
>     > > !IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
>     >
>     > How did this particular contraption become a recommended cipherlist?
>
>     To explain - this is basically autogenerated value from the crypto
>     policy definiton of the LEGACY crypto policy with just added the
>     !RC4.
>
>
>     > What's wrong with "DEFAULT"?  In OpenSSL 1.1.1 it already excludes
>     > RC4 (if RC4 is at all enabled at compile time):
>
>     Nothing wrong with DEFAULT. For manual configuration. This is however
>     something that is autogenerated.
>
>     >     $ openssl ciphers -v 'COMPLEMENTOFDEFAULT+RC4'
>     >     ECDHE-ECDSA-RC4-SHA     TLSv1 Kx=ECDH     Au=ECDSA Enc=RC4(128)
>     > Mac=SHA1
>     >     ECDHE-RSA-RC4-SHA       TLSv1
>     > Kx=ECDH     Au=RSA  Enc=RC4(128)  Mac=SHA1
>     >     RC4-SHA                 SSLv3
>     > Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
>     >
>     > I find too many people cargo-culting poorly thought cipher lists
>     from
>     > some random HOWTO.  Over optimising your cipherlist is subject to
>     > rapid bitrot, resist the temptation...
>
>     Yeah, I should have probably suggested just: CipherString = DEFAULT
>
>     There is not much point in being as close to the autogenerated policy
>     as possible for this particular user's use-case.
>

Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2860 Soborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded



More information about the openssl-users mailing list