On Thu, 6 Jul 2017 at 18:41 Detlef Graef <d.gr...@vodafone.de> wrote:
> Something like: > > <tlsver>TLS-VER-ALL</tlsver> with TLS-VER-ALL as the default value. > > possible other values: > > <tlsver>VERS-TLS1.0</tlsver> force TLS ver. 1.0 > <tlsver>VERS-TLS1.1</tlsver> force tLS ver. 1.1 > <tlsver>VERS-TLS1.2</tlsver> force TLS ver. 1.2 > <tlsver>VERS-TLS1.3</tlsver> (in the future) > > In case it helps, there are MANY SSL capable servers and clients out there, and rather than reinvent the wheel, how these guys configure their software should probably be taken into consideration (they've been doing it for a long time ;) ) Here's a link to the nginx config page for SSL, which I chose because it is fairly representative http://nginx.org/en/docs/http/configuring_https_servers.html To me this would translate to XML of something like: <ssl_protocol>ALL</ssl_protocol> <ssl_ciphers>ALL</ssl_ciphers> or <ssl_protocol>TLSv1.2</ssl_protocol> <ssl_ciphers>HIGH:!aNULL:!MD5</ssl_ciphers> or maybe a good compromise between compatibility and safety that I've used ;-) <ssl_protocol>TLSv1 TLSv1.1 TLSv1.2</ssl_protocol> <ssl_ciphers>EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5</ssl_ciphers> Just my 2p. Steve
_______________________________________________ Pan-users mailing list Pan-users@nongnu.org https://lists.nongnu.org/mailman/listinfo/pan-users
