On Wed, Aug 2, 2017, at 11:35 AM, Viktor Dukhovni wrote: > tls_high_cipherlist = > !aDSS:!MD5:!kECDH:!kDH:!RC2:!RC5:!IDEA:!SEED:aNULL:-aNULL:HIGH:@STRENGTH > tls_medium_cipherlist = > !aDSS:!MD5:!kECDH:!kDH:!RC2:!RC5:!IDEA:!SEED:aNULL:-aNULL:HIGH:MEDIUM:@STRENGTH > > The additional excluded ciphersuites are rarely if ever used and > either obsolete or unwise or both. Excluding them reduces the > client TLS HELLO message size, improves interoperability with some > very old Microsoft systems (now rare) with no expected downgrades > to cleartext.
Afaict, none of that would've done any harm in my contexts. I guess RC4 is already gone. I do see some Au=SRP. No clue yet what those are. And even though it's enabled I have never seen a CAMELLIA cipher'd message; at least not in my logs. >From the other thread, I also checked *who* was still sending to me with >Mac=SHA1. Virtually all were garbage I can live without. Especially 4 from >my annoying cousin ;-) So considering !SHA1 (for a few seconds anyway)
