On Sat, Feb 21, 2015 at 05:27:42PM +0100, Vincent Bernat wrote: > ? 21 février 2015 13:29 +0100, Kurt Roeckx <k...@roeckx.be> : > > >> > The defaults are good enough, as long as you don't really care > >> > about PFS because IE doesn't have those at the top of it's list. > >> > If you just change it to prefer the default server ordering you > >> > should already have a decent list, but it prefers AES256 over > >> > AES128 while there is no need for that. > >> > >> PFS, performances and A+ note on Qualys SSL test. This may be a bit less > >> true today since most browsers are now supporting ECDHE ciphers but it > >> still holds, I think. > > > > Do you know what the minimum changes requirements are to get an > > A(+)? > > I'm guessing it requires at least this in wheezy: > > - SSLProtocol all -SSLv3 > > - SSLHonorCipherOrder off > > > > It might require you to disable RC4, but if that's the case we > > should probably talk to Qualsys about it. > > Yes, grade capped to B if accepting RC4. I see two possibilities for > this choice: either downgrade attacks (when not circumvented), either it > is considered preferable to use AES or even 3DES (BEAST attack being > prevented on server-side).
I don't see how you're going to do a downgrade attack to RC4. Yes clients like IE will enable RC4 on a fallback. But if the server supports something other than RC4 it should still pick that other thing. Kurt -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
