Hacker News new | ask | show | jobs
by CrLf 4887 days ago
For openssl 0.9.8, where "ECDHE-RSA-AES128-SHA256" and "AES128-GCM-SHA256" aren't supported, that cipher suite actually places RC4 40bit as the preferred cipher ("openssl ciphers -v").
1 comments
newman314 4883 days ago
For that reason, I prefer to explicitly list the ciphers to be used to avoid situations like this or when OpenSSL decides to modify its cipher list.

FWIW, this is what I use:

ECDHE-RSA-AES128-GCM-SHA256:AES128-GCM-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-S HA:RC4-SHA:AES128-SHA:AES256-SHA;

link