Re: httpd vs TLS

[Mateusz Kocielski <shm%digitalsun.pl@localhost>]

On Fri, Mar 18, 2016 at 12:35:25AM +0100, Thomas Klausner wrote:
> On Thu, Mar 17, 2016 at 04:46:02PM -0400, tr%vispaul.me@localhost wrote:
> > On 2016-03-17 16:30, Mateusz Kocielski wrote:
> > >older browsers have troubles in connecting to bozo as it's current
> > >configuration is too restrictive.
> > 
> > Trying the Intermediate compatibility cipher list should fix it:
> > https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29
> > 
> > I've tested it with Firefox 45 and httpd from current with something like:
> > 
> > CIPHERS="... list of ciphers from link ..."
> > /usr/libexec/httpd -b -f -X -s -z $CIPHERS -Z /root/my.cert /root/my.key
> > /var/www
> > 
> > And that worked for me, the default cipher list compiled into httpd is a bit
> > too
> > restrictive for Firefox and older browsers.  I didn't need to enable TLS 1.0
> > or
> > recompile in my test.
> 
> Thank you. I've added the list from the link and it seems to work fine now.
> 
> There's still one problem, but that's not for this list (redirect broken).

Do we realy want to refuse all clients listed in "handshake simulation" here?:

https://www.ssllabs.com/ssltest/analyze.html?d=wip.pkgsrc.org&s=195.22.142.117&hideResults=on

 Mateusz