Hi Tomas/Team I have managed to block the RC4 and enable tlsv1 as per our requirements.
We have a requirement to match cipher list on the internal server to match the native browser cipher list as shown by the https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html I have tried setting up different combinations on the CipherString but none helped. Do you have any suggestions as to how to do achieve this? -------- Regards, Junaid On Fri, Apr 17, 2020 at 6:22 PM Tomas Mraz <tm...@redhat.com> wrote: > On Fri, 2020-04-17 at 13:03 -0400, Viktor Dukhovni wrote: > > On Fri, Apr 17, 2020 at 05:17:47PM +0200, Tomas Mraz wrote: > > > > > Or you could modify the /etc/pki/tls/openssl.cnf: > > > Find the .include /etc/crypto-policies/back-ends/opensslcnf.config > > > line in it and insert something like: > > > > > > CipherString = > > > @SECLEVEL=1:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:!DES:!RC2:!RC4: > > > !IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 > > > > How did this particular contraption become a recommended cipherlist? > > To explain - this is basically autogenerated value from the crypto > policy definiton of the LEGACY crypto policy with just added the !RC4. > > > > What's wrong with "DEFAULT"? In OpenSSL 1.1.1 it already excludes > > RC4 (if RC4 is at all enabled at compile time): > > Nothing wrong with DEFAULT. For manual configuration. This is however > something that is autogenerated. > > > $ openssl ciphers -v 'COMPLEMENTOFDEFAULT+RC4' > > ECDHE-ECDSA-RC4-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=RC4(128) > > Mac=SHA1 > > ECDHE-RSA-RC4-SHA TLSv1 > > Kx=ECDH Au=RSA Enc=RC4(128) Mac=SHA1 > > RC4-SHA SSLv3 > > Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 > > > > I find too many people cargo-culting poorly thought cipher lists from > > some random HOWTO. Over optimising your cipherlist is subject to > > rapid bitrot, resist the temptation... > > Yeah, I should have probably suggested just: CipherString = DEFAULT > > There is not much point in being as close to the autogenerated policy > as possible for this particular user's use-case. > > -- > Tomáš Mráz > No matter how far down the wrong road you've gone, turn back. > Turkish proverb > [You'll know whether the road is wrong if you carefully listen to your > conscience.] > > >
