[openssl-dev] 1.1.0 pre5 seems to ignore CIPHER_SERVER_PREFERENCE
Angus Robertson - Magenta Systems Ltd
angus at magsys.co.uk
Thu May 26 13:44:00 UTC 2016
I have two custom Windows web sites, running released and beta versions
of OpenSSL. The beta version only gets an A- score with SSL Labs,
whereas the release version gets A+.
https://www1.telecom-tariffs.co.uk/serverinfo.htm
shows server status, and that it's running OpenSSL 1.1.0-pre5 (beta) 19
Apr 2016, SSL Labs says: 'Cipher Suites (sorted by strength as the
server has no preference;) The server does not support Forward Secrecy
with the reference browsers. Grade reduced to A-.'
https://www.telecom-tariffs.co.uk/serverinfo.htm
is the main live server running OpenSSL 1.0.2h 3 May 2016, and gets a
score A+ saying 'Cipher Suites (SSL 3+ suites in server-preferred
order)'.
The application is identical with CIPHER_SERVER_PREFERENCE specified
and a Mozilla intermediate cipher list (shown on the status page), but
SSL Labs suggests there is no server preference so forward security
ciphers are not prioritised.
The OpenSSL implementation is for Windows Embarcadero Delphi and the
free ICS internet component suite which I support, it uses our own
Pascal version of the OpenSSL C header files, originally created 10
years ago and updated for each new OpenSSL release, so there is a risk
we might miss subtle header changes like constants changing.
I realise pre5 is a month old, but can not see this issued raised in
the last month.
Angus
More information about the openssl-dev
mailing list