AnsweredAssumed Answered

List of cipher suites shorter than expected

Question asked by Jaap Vermeer on Sep 26, 2014
Latest reply on Sep 26, 2014 by Jaap Vermeer

Apache Config snippet:

SSLCipherSuite ECDH-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA

SSLHonorCipherOrder on

openssl ciphers -V 'ECDH-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA' gives:

0xC0,0x2A - ECDH-RSA-AES256-SHA384  TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256)  Mac=SHA384

0xC0,0x26 - ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256)  Mac=SHA384

0xC0,0x14 - ECDHE-RSA-AES256-SHA    SSLv3 Kx=ECDH    Au=RSA  Enc=AES(256)  Mac=SHA1

0xC0,0x0A - ECDHE-ECDSA-AES256-SHA  SSLv3 Kx=ECDH    Au=ECDSA Enc=AES(256)  Mac=SHA1

The ssllabs analyze sais:

Cipher Suites (sorted by strength; the server has no preference)

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)  ECDH 256 bits (eq. 3072 bits RSA)  FS 256

...

IE 8-10 / Win 7  R Protocol or cipher suite mismatch Fail3

...

(3) Only first connection attempt simulated. Browsers tend to retry with a lower protocol version.

yet when i connect with IE10/Win7 to my site it works.

Is it a bug on ssllabs side that it only shows 1 cipher?

Outcomes