Welcome! Log In Create A New Profile

Re: http/2 needs "weaker" ciphers?

Forum List Message List New Topic Print View

Maxim Dounin

October 19, 2015 12:46PM

Hello!

On Mon, Oct 19, 2015 at 10:23:40AM -0400, p.heppler wrote:

> The blacklist note says:
> This list includes those cipher suites that do not offer an ephemeral key
> exchange and those that are based on the TLS null, stream, or block cipher
> type (as defined in Section 6.2.3 of [TLS12]).
>
> But AES256+EECDH:AES256+EDH doesn't match this blacklist because those are
> all ephemeral key exchange ciphers, aren't they?

The blacklist in question includes not only ciphers without
ephemeral key exchange, but also ciphers using various algoritms.

In my tests, use of the AES256+EECDH:AES256+EDH cipher
specification results in ECDHE-RSA-AES256-SHA being negotiated
with Chrome. And it is on the list:

: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

Likely it's blacklisted due to use of SHA1.

--
Maxim Dounin
http://nginx.org/

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Reply Quote

RSS

Subject	Author	Posted
http/2 needs "weaker" ciphers?	p.heppler	October 09, 2015 10:14AM
Re: http/2 needs "weaker" ciphers?	Valentin V. Bartenev	October 12, 2015 09:06AM
Re: http/2 needs "weaker" ciphers?	p.heppler	October 19, 2015 10:23AM
Re: http/2 needs "weaker" ciphers?	Maxim Dounin	October 19, 2015 12:46PM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 140

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018