On 12/10/18 12:25 PM, Viktor Dukhovni wrote:
On Dec 10, 2018, at 7:22 AM, Alice Wonder <al...@domblogger.net> wrote:ssl_min_protocol = TLSv1.2 ssl_cipher_list = EECDH+CHACHA20:EECDH+AESGCM:EECDH+SHA384:EECDH+SHA256:EECDH:!3DES:!RC4:!ADH:!LOW@STRENGTH ssl_prefer_server_ciphers = yesThe cipherlist syntax is wrong, you're missing a ":" between "!LOW" and "@STRENGTH". My advice is that non-experts should not be asked or attempt to configure explicit TLS cipherlists. Let the defaults stand, and use software that comes with sensible defaults, upgrading periodically to keep the default configuration current.
You are right there is a typo that didn't get caught.You are actually wrong that it is better to let defaults stand. With a lot of software, upstream doesn't give a damn.
Even in this thread someone pointed out that Debian defaults to 1024-bit RSA. You end up with things like SHA1 still enabled because upstream thought the compatibility mattered more than the security.
So yes, I made a typo, and maybe I'm not a guru but the reason why I fiddle with this stuff is because when I didn't - too often the "experts" left things in a way that were dangerous.
-- For signature trust anchor (paranoid only need worry 'bout this): https://ca.pipfrosch.com/pipfrosch-cacert-pem.crt Webmail clients, sorry, out of luck, you can't import it. Get an actual e-mail app.
smime.p7s
Description: S/MIME Cryptographic Signature
