gnupg website
Andrew Gallagher
andrewg at andrewg.com
Thu Jan 26 12:49:54 CET 2017
On 26/01/17 00:16, Andrew Gallagher wrote:
>
> gnupg.org *does* keep 3DES at the end of the supported suites, so surely
> it should not be affected. I'm tempted to write this off as a
> mistake by ssllabs.
I've spoken to ssllabs and it appears that this was an ambiguity in the
wording of their blog post. That means the downgrade to C next month is
legit - not because 3DES is present, but because 3DES is present *and*
GCM is absent.
What both this and Glenn's Apple issue have in common is the lack of
ECDHE+GCM suites in the cipher list. I generally use the following
config in Apache:
SSLCipherSuite \
"EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 \
EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 \
EECDH EDH+AESGCM EDH+aRSA +3DES 3DES \
!aNULL !eNULL !LOW !EXP !MD5 !KRB5 !PSK !SRP !DSS !SEED !RC4"
This uses all HIGH suites in a sensible order but still falls back to
3DES for XP compatibility. When retiring 3DES this simplifies to:
SSLCipherSuite \
"EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 \
EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 \
EECDH EDH+AESGCM EDH+aRSA !MEDIUM !LOW !aNULL !eNULL !PSK"
Andrew.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170126/f1c1bbb2/attachment.sig>
More information about the Gnupg-users
mailing list