0

I have SSLCipherSuite configured as High:Medium:!aNULL:!eNULL:+High:+Medium

Here I can understand to match or include the ciphers with triple DES (High) and 128 bit encryption (Medium) at start and then it ignores which are not authenticated and encrypted. Now the question is why there is again +High and +Medium when I already used at start. or is it a wrong configuration ? can this be configured as this ?

Please clarify , I could not get any of such examples.

Sunny
  • 55
  • 6
  • 1
    Consider using https://mozilla.github.io/server-side-tls/ssl-config-generator/ rather than fiddling with the details yourself? –  Jul 15 '18 at 22:16

1 Answers1

1

From the documentation of ciphers in OpenSSL:

CIPHER LIST FORMAT
... Each cipher string can be optionally preceded by the characters !, - or +
... If + is used then the ciphers are moved to the end of the list. This option doesn't add any new ciphers it just moves matching existing ones.

Thus, in your example the first part HIGH:MEDIUM:!aNULL:!eNULL would add the given ciphers to the list (note that it should be HIGH not High etc). A following +HIGH would then move all HIGH ciphers to the end of the list and the following +MEDIUM the same with all MEDIUM ciphers (i.e. after the HIGH) so that at the end the cipher order contains first the HIGH ciphers and then the MEDIUM ones.

Steffen Ullrich
  • 13,227
  • 27
  • 39
  • Thanks Steffen, This gave me a clear understanding to me now :) – Sunny Jul 15 '18 at 22:24
  • @Sunny: This is a different question and thus should not be asked in a comment. And maybe you try to read the documentation I've referenced and figure it out this time yourself, i.e. make at least an proposal of how you understood the documentation instead of asking others to read and explain it fully for you. – Steffen Ullrich Jul 16 '18 at 04:12