On 08.05.2016 18:31, Pierre Schmitz wrote:
I'd like to enable h2 on luna. Are there any objections?
If it doesn't cause any problems, no objection.
ssl_prefer_server_ciphers on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
I hope those are already set.
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
This enables different ciphers than those published by bettercrypto.org which I believe we use. Especially it enables some DHE-DSS ciphers which I don't know anything about. I'm assuming it's a different name for DSA, but I wonder why those are not included in the bettercrypto suite. Additionally your suite would enable ECDHE-ECDSA ciphers which are also excluded by bettercrypto. Could you check why they specifically exclude them and if their reasoning matters for us? The bettercrypto.org list is `openssl ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA' | tr ":" "\n"` while yours is `openssl ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH | tr ":" "\n"`. I also just eyeballed the lists. You may want to diff them just in case I missed something. Florian