You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or unsubscribe.
Thanks for testing this (where did you get test_ciphers?). First, the undocumented directive to set the cipher list is:
http.cipherfilter colon-separated-list
The code assumes the default of:
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
I don't see anything in the code that would not set the cipher list via SSL_CTX_set_cipher_list() so it's not apparent what is wrong here. However, the previous version specified
ALL:!LOW:!EXP:!MD5:!MD2
The same as for xroots protocol.
Now, I do know that TLS 1.3 is no longer backward compatible with previous versions of TLS should you specify certain ciphers. Not that we are using TLS 1.3 but may be, see
openssl/openssl#8838
The other issue is if you are using OpenSSL 1.1.1 and give it an unsupported cipher it does absolutely nothing and appears to drop all ciphers with no error indication. The developers claim this is the best comprmise they could reach to support TLS 1.3, see issue
openssl/openssl#6296
Ir would appear that until all of this get straightened out, specifying explicit ciphers is not recommended. Anyway, use the cipherfilter directive to specify the old string and see what happens. You may even want to check which of those ciphers in the new string is causing the problem. In any case, OpenSSL strkes again!
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or unsubscribe.
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1