hi,
just bringing into this community list a discussion started between myself and Stefan
(and a couple of others who lurk in another domain..hello Rhys ;-) )
the current abfab-tls virtual server used by assent is using
cipher_list = "DEFAULT"
this then allows the server to use those methods available for OpenSSL (which is
usually a pretty wide amount of ciphers!)
with the current focus on other SSL systems to lockdown as much as possible, I thought
it might be worth looking to see what we can lock this down to.... ideally
we would only be doing TLS 1.2 now..... can we assume that all trust-router related
servers are going to be able to use TLS 1.2 (ie have OpenSSL 1.x - ideally 1.0.2 or above...)
and that we can just go for a standard. if not, shall we discuss what the minimun methods
should be do avoid someone negotiating something weak with no replay protection etc?
a starting point might be something suggested as best practice:
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5
if we are 1.0.1f and above for OpenSSL then we have an easier ride for this...something like
TLSv1.2:kRSA:!eNULL:!aNULL
should do the trick.... earlier versions dont have the TLSv1.2 tag and need nasty lines like earlier :(
comments/arguments? :-)
alan
|