Re: [Assp-test] Couldn't upgrade to TLS for client

[Grayhat <gr...@gm...>]

:: On Fri, 3 Jun 2016 12:29:01 +0200
:: <201...@gm...>
:: Grayhat <gr...@gm...> wrote:

> :: On Fri, 3 Jun 2016 10:17:58 +0000
> :: <5AD00D80569E0F4F9A12BBB01F00EE795A868C51@BCSW-SMX07.mymhp.net>
> :: Martin Voßloh <Mar...@mh...> wrote:
> 
> > Hi,
> >   
> > it´s possible that the entry is going wrong in this mail?    
> > 
> > kEECDH+ECDSA:kEECDH:kEDH:HIGH:+SHA:+RC4:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!DSS:!PSK:!SRP:!kECDH:!CAMELLIA128:!IDEA:!SEED
> > 
> > the "k" in front of some entrys?  
> 
> no, the "k" is correct, stands for "key exchange" and is accepted by
> OpenSSL w/o problems (also tried it with other apps using OpenSSL to
> implement SSL support)

notice that, using the above string, you'll offer the following ciphers

Preferred TLSv1.2  256 bits  ECDHE-RSA-AES256-GCM-SHA384
Accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-SHA384    
Accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-SHA       
Accepted  TLSv1.2  256 bits  DHE-RSA-AES256-GCM-SHA384  
Accepted  TLSv1.2  256 bits  DHE-RSA-AES256-SHA256      
Accepted  TLSv1.2  256 bits  DHE-RSA-AES256-SHA         
Accepted  TLSv1.2  256 bits  DHE-RSA-CAMELLIA256-SHA    
Accepted  TLSv1.2  256 bits  AES256-GCM-SHA384
Accepted  TLSv1.2  256 bits  AES256-SHA256
Accepted  TLSv1.2  256 bits  AES256-SHA
Accepted  TLSv1.2  256 bits  CAMELLIA256-SHA
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-GCM-SHA256
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-SHA256    
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-SHA       
Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-GCM-SHA256  
Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-SHA256      
Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-SHA         
Accepted  TLSv1.2  128 bits  AES128-GCM-SHA256
Accepted  TLSv1.2  128 bits  AES128-SHA256
Accepted  TLSv1.2  128 bits  AES128-SHA
Accepted  TLSv1.2  128 bits  ECDHE-RSA-RC4-SHA          
Accepted  TLSv1.2  128 bits  RC4-SHA
Preferred TLSv1.1  256 bits  ECDHE-RSA-AES256-SHA       
Accepted  TLSv1.1  256 bits  DHE-RSA-AES256-SHA         
Accepted  TLSv1.1  256 bits  DHE-RSA-CAMELLIA256-SHA    
Accepted  TLSv1.1  256 bits  AES256-SHA
Accepted  TLSv1.1  256 bits  CAMELLIA256-SHA
Accepted  TLSv1.1  128 bits  ECDHE-RSA-AES128-SHA       
Accepted  TLSv1.1  128 bits  DHE-RSA-AES128-SHA         
Accepted  TLSv1.1  128 bits  AES128-SHA
Accepted  TLSv1.1  128 bits  ECDHE-RSA-RC4-SHA          
Accepted  TLSv1.1  128 bits  RC4-SHA
Preferred TLSv1.0  256 bits  ECDHE-RSA-AES256-SHA       
Accepted  TLSv1.0  256 bits  DHE-RSA-AES256-SHA         
Accepted  TLSv1.0  256 bits  DHE-RSA-CAMELLIA256-SHA    
Accepted  TLSv1.0  256 bits  AES256-SHA
Accepted  TLSv1.0  256 bits  CAMELLIA256-SHA
Accepted  TLSv1.0  128 bits  ECDHE-RSA-AES128-SHA       
Accepted  TLSv1.0  128 bits  DHE-RSA-AES128-SHA         
Accepted  TLSv1.0  128 bits  AES128-SHA
Accepted  TLSv1.0  128 bits  ECDHE-RSA-RC4-SHA          
Accepted  TLSv1.0  128 bits  RC4-SHA

if using a normal certificate, if instead you have an ECDSA enabled
certificate, you'll also offer the following ciphers in addition to
the above (and preferred)

ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-SHA256

as you see, the setup offers the stronger ciphers firts while still
mantaining support for weaker, older ones as a last resource which
helps mantaining compatibility with older clients