You are not logged in.

#1 2016-07-03 14:08:31

abi
Member
Registered: 2014-06-15
Posts: 13

Extreme ciphers for webserver

I'm experimenting with nginx linked to libressl.
I used ssl_ciphers 'EECDH+CHACHA20:EECDH+AES256:!SHA1!aNULL';  Yes, It's look very harsh, but should be compatible with everything modern enough. To my surprice Firefox (all version, including forks) refusing to connect with ssl_error_no_cypher_overlap error.
Looks like FireFox demands sha1 MAC for 256bit ciphers. Why ? TLSv1.2 supports sha256 or better for MAC. Isn't FireFox linked to openssl ?

openssl s_client -host 10.0.1.3 -port 443
...snap...
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384

Last edited by abi (2016-07-03 14:09:56)

Offline

#2 2016-07-04 10:25:13

progandy
Member
Registered: 2012-05-17
Posts: 5,184

Re: Extreme ciphers for webserver

According to the mozilla wiki, firefox should work with Mac=AEAD|SHA384|SHA256
https://wiki.mozilla.org/Security/Serve … igurations


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

Board footer

Powered by FluxBB