[arch-devops] HTTP/2 on Luna
bluewind at xinu.at
Sun May 8 17:15:47 UTC 2016
On 08.05.2016 18:31, Pierre Schmitz wrote:
> I'd like to enable h2 on luna. Are there any objections?
If it doesn't cause any problems, no objection.
> ssl_prefer_server_ciphers on;
> ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
I hope those are already set.
> ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
This enables different ciphers than those published by bettercrypto.org
which I believe we use. Especially it enables some DHE-DSS ciphers which
I don't know anything about. I'm assuming it's a different name for DSA,
but I wonder why those are not included in the bettercrypto suite.
Additionally your suite would enable ECDHE-ECDSA ciphers which are also
excluded by bettercrypto. Could you check why they specifically exclude
them and if their reasoning matters for us?
The bettercrypto.org list is `openssl ciphers
| tr ":" "\n"` while yours is `openssl ciphers
EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH | tr ":" "\n"`.
I also just eyeballed the lists. You may want to diff them just in case
I missed something.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 801 bytes
Desc: OpenPGP digital signature
More information about the arch-devops