Skip to content
This repository was archived by the owner on Apr 22, 2023. It is now read-only.
This repository was archived by the owner on Apr 22, 2023. It is now read-only.

honorCipherOrder should be supported for SNI TLS/SSL connections #7249

Closed
Closed
honorCipherOrder should be supported for SNI TLS/SSL connections#7249
Assignees
indutny
Labels
tlsv0.10
Milestone
v0.12
@Rush

Description

@Rush
Rush
opened on Mar 5, 2014

Test is here:
https://gist.github.com/RushPL/9376770
Below test for primary domain is correct:

> openssl s_client -servername test1.com -connect localhost:4000 2> /dev/null|grep Cipher
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384

Below test for secondary (SNI resolved) domain is not correct as the cipher should be the same as in the above test:

> openssl s_client -servername test2.com -connect localhost:4000 2> /dev/null|grep Cipher
New, TLSv1/SSLv3, Cipher is RC4-SHA
    Cipher    : RC4-SHA

Forcing server's cipher order is necessary to implement forwarding secrecy https://community.qualys.com/blogs/securitylabs/2013/06/25/ssl-labs-deploying-forward-secrecy

This forbids NSA or other third parties to listen on connections even if the private keys are compromised. Special key exchange happens on negotiation.

I have tried to workaround lack of honorCipherOrder option by manually passing the constant to the Credentials constructor but it fails for some reason. Please advise.

Metadata

Metadata

Assignees

Labels

tlsv0.10

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions