0

We have SSLv3 disabled in DataPower. I ran sslscan to check what all cipher suits can be used currently during ssl handshake.

In the sslscan output, I have found out that below cipher suits are being accepted.

TLSv1 256 bits AES256-SHA TLSv1 128 bits AES128-SHA TLSv1 168 bits DES-CBC3-SHA TLSv1 128 bits RC4-SHA

Preferred Server Cipher: TLSv1 256 bits AES256-SHA

I then, disabled TLS1.0 on DataPower (server) and ran the sslscan again. The result was not what I was expecting. All the ciphersuits including the ones which were accepted during handshake over TLS1.0 are being rejected.

How would I come to know, which cipher suits my server will accept if I disable TLS1.0?

user2607367
  • 11
  • 1
  • 6
  • RTFRFC: https://www.ietf.org/rfc/rfc5246.txt Also might just be an RTFM issue. Not sure about your application, but it's possible that the cipher suite selections could be defined on a per-protocol level. So, if you cut off TLS 1.0 without defining any allowed ciphers for 1.2, you'd end up with what you have. – Iszi Dec 15 '15 at 14:27
  • We have TLS1.1 and 1.2 protocols enabled. – user2607367 Dec 16 '15 at 15:45

1 Answers1

1

It depends on what is implemented by, and built into, the TLS implementation (of the server and client). You will have to read the manual or talk to support, or keep testing.

There are quite a few write ups about the choice of cipher suite out there. Have a look at say Mozilla OpSec's openssl cipher strings. The preference order of the list, what is not allowed, and also the client compatibility discussion may be of interest.

John Mahowald
  • 32,050
  • 2
  • 19
  • 34