Hi misc readers! This is my first attempt to ask for help using misc@openbsd.org, so please bear with me if I'm making mistakes. Also, apologies if I'm asking about something recently discussed.
I want to limit the number of tls ciphersâ in httpd.conf so that only strong (>128 bit) ciphers with Forward Secrecy capabilities (ECDHE) are accepted. I'm also only using TLSv1.2. My current httpd.conf contains a line saying tls ciphers "STRONG:ECDHE:!aNULL:!SSLv3:@STRENGTH" which renders out "Configuration OK" with '# /usr/sbin/httpd -n'. Also, when testing that string using # openssl ciphers -v 'STRONG:ECDHE:!aNULL:!SSLv3:@STRENGTH' I get a nice, acceptable list of the ciphers. However, when running a server test (https://www.ssllabs.com/ssltest/analyze.html?d=andreasthulin.se), there's a much longer list of ciphers, including both non-FS and medium strength ciphers. I'm thinking that either 1. my assumption that my httpd.conf is all dandy is wrong (highly probable), 2. SSL Labs is lying to me (improbable), or 3. there's some sort of bug in httpd (improbable). Does anyone have any pointers? OpenBSD 5.8-current (GENERIC) #1095: Mon Aug 24. i386. BR Andreas
