Re: httpd vs TLS

[Thomas Klausner <wiz%NetBSD.org@localhost>]

On Fri, Mar 18, 2016 at 07:31:02AM +0000, Mateusz Kocielski wrote:
> On Fri, Mar 18, 2016 at 12:35:25AM +0100, Thomas Klausner wrote:
> > On Thu, Mar 17, 2016 at 04:46:02PM -0400, tr%vispaul.me@localhost wrote:
> > > On 2016-03-17 16:30, Mateusz Kocielski wrote:
> > > >older browsers have troubles in connecting to bozo as it's current
> > > >configuration is too restrictive.
> > > 
> > > Trying the Intermediate compatibility cipher list should fix it:
> > > https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29
> > > 
> > > I've tested it with Firefox 45 and httpd from current with something like:
> > > 
> > > CIPHERS="... list of ciphers from link ..."
> > > /usr/libexec/httpd -b -f -X -s -z $CIPHERS -Z /root/my.cert /root/my.key
> > > /var/www
> > > 
> > > And that worked for me, the default cipher list compiled into httpd is a bit
> > > too
> > > restrictive for Firefox and older browsers.  I didn't need to enable TLS 1.0
> > > or
> > > recompile in my test.
> > 
> > Thank you. I've added the list from the link and it seems to work fine now.
> > 
> > There's still one problem, but that's not for this list (redirect broken).
> 
> Do we realy want to refuse all clients listed in "handshake simulation" here?:
> 
> https://www.ssllabs.com/ssltest/analyze.html?d=wip.pkgsrc.org&s=195.22.142.117&hideResults=on

That does list iOS 9, but I can connect from an iOS 9 device without
problems. So I wonder how correct it is.
 Thomas