<div dir="ltr"><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small">Hi Tomas/Team</div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small">I have managed to block the RC4 and enable tlsv1 as per our requirements. <br></div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small">We have a requirement to match cipher list on the internal server to match the native browser cipher list as shown by the <a href="https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html">https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html</a> <br></div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small">I have tried setting up different combinations on the CipherString but none helped. Do you have any suggestions as to how to do achieve this?<br></div><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><font size="2"><span style="font-family:verdana,sans-serif"><br>--------<br>Regards,</span><br style="font-family:verdana,sans-serif"><span style="font-family:verdana,sans-serif">Junaid</span></font><br></div></div><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Apr 17, 2020 at 6:22 PM Tomas Mraz <<a href="mailto:tmraz@redhat.com">tmraz@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Fri, 2020-04-17 at 13:03 -0400, Viktor Dukhovni wrote:<br>
> On Fri, Apr 17, 2020 at 05:17:47PM +0200, Tomas Mraz wrote:<br>
> <br>
> > Or you could modify the /etc/pki/tls/openssl.cnf:<br>
> > Find the .include /etc/crypto-policies/back-ends/opensslcnf.config<br>
> > line in it and insert something like:<br>
> > <br>
> > CipherString =<br>
> > @SECLEVEL=1:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:!DES:!RC2:!RC4:<br>
> > !IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8<br>
> <br>
> How did this particular contraption become a recommended cipherlist?<br>
<br>
To explain - this is basically autogenerated value from the crypto<br>
policy definiton of the LEGACY crypto policy with just added the !RC4. <br>
<br>
<br>
> What's wrong with "DEFAULT"? In OpenSSL 1.1.1 it already excludes<br>
> RC4 (if RC4 is at all enabled at compile time):<br>
<br>
Nothing wrong with DEFAULT. For manual configuration. This is however<br>
something that is autogenerated.<br>
<br>
> $ openssl ciphers -v 'COMPLEMENTOFDEFAULT+RC4'<br>
> ECDHE-ECDSA-RC4-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=RC4(128)<br>
> Mac=SHA1<br>
> ECDHE-RSA-RC4-SHA TLSv1<br>
> Kx=ECDH Au=RSA Enc=RC4(128) Mac=SHA1<br>
> RC4-SHA SSLv3<br>
> Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1<br>
> <br>
> I find too many people cargo-culting poorly thought cipher lists from<br>
> some random HOWTO. Over optimising your cipherlist is subject to<br>
> rapid bitrot, resist the temptation...<br>
<br>
Yeah, I should have probably suggested just: CipherString = DEFAULT<br>
<br>
There is not much point in being as close to the autogenerated policy<br>
as possible for this particular user's use-case.<br>
<br>
-- <br>
Tomáš Mráz<br>
No matter how far down the wrong road you've gone, turn back.<br>
Turkish proverb<br>
[You'll know whether the road is wrong if you carefully listen to your<br>
conscience.]<br>
<br>
<br>
</blockquote></div>