[arch-devops] HTTP/2 on Luna
Florian Pritz
bluewind at xinu.at
Sun May 8 17:15:47 UTC 2016
On 08.05.2016 18:31, Pierre Schmitz wrote:
> I'd like to enable h2 on luna. Are there any objections?
If it doesn't cause any problems, no objection.
> ssl_prefer_server_ciphers on;
> ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
I hope those are already set.
> ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
This enables different ciphers than those published by bettercrypto.org
which I believe we use. Especially it enables some DHE-DSS ciphers which
I don't know anything about. I'm assuming it's a different name for DSA,
but I wonder why those are not included in the bettercrypto suite.
Additionally your suite would enable ECDHE-ECDSA ciphers which are also
excluded by bettercrypto. Could you check why they specifically exclude
them and if their reasoning matters for us?
The bettercrypto.org list is `openssl ciphers
'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA'
| tr ":" "\n"` while yours is `openssl ciphers
EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH | tr ":" "\n"`.
I also just eyeballed the lists. You may want to diff them just in case
I missed something.
Florian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-devops/attachments/20160508/bb067c81/attachment.asc>
More information about the arch-devops
mailing list