Message149859
| Author |
naif |
| Recipients |
gregory.p.smith, naif, pitrou |
| Date |
2011年12月19日.13:31:32 |
| SpamBayes Score |
6.904496e-07 |
| Marked as misclassified |
No |
| Message-id |
<1324301493.21.0.301225362541.issue13636@psf.upfronthosting.co.za> |
| In-reply-to |
| Content |
We could also disable all the ciphers that use MD5 for authentication:
MD5 has been disabled for SSL use due to it's weakness by:
- Firefox (All mozilla products now refuse any MD5 ciphers)
https://www.thesslstore.com/blog/index.php/firefox-to-stop-supporting-md5-based-ssl/
- Duracon by Jacob Appelbaum (Tor Project)
https://github.com/ioerror/duraconf
"HIGH:!aNULL:!eNULL:!SSLv2:!MD5" would do the magic, so we update the default to a modern, yet compatible set of SSL ciphers supported.
I don't want in any case to break compatibilities, but by default a software, should not support vulnerable, weak ciphers and this seems a good compromise.
Then the last fine tuning would be have the right preferred orders of ciphers to always prefer ECDHE (if available). |
|
History
|
|---|
| Date |
User |
Action |
Args |
| 2011年12月19日 13:31:33 | naif | set | recipients:
+ naif, gregory.p.smith, pitrou |
| 2011年12月19日 13:31:33 | naif | set | messageid: <1324301493.21.0.301225362541.issue13636@psf.upfronthosting.co.za> |
| 2011年12月19日 13:31:32 | naif | link | issue13636 messages |
| 2011年12月19日 13:31:32 | naif | create |
|