[BlueOnyx:21856] Re: https://www.ssllabs.com/ssltest/analyze.html actual only B rating for blueonyx Server with ssl

[Michael Stauber]

Hi Lew,

> I ended up having to enable AES_128 SHA256 in TLS 1.1 in order 
> to make 2010 version work again and SHA 128 in TLS 1.0 to make 2007
> work
>
> I know all of this doesn't translate into the world of BX but 
> bottom line is that while hardening web servers y

Yeah, it's a balance act and supporting some legacy products doesn't
make it any easier.

TLSv1.0 is as good as dead. It will raise a red flag in PCI tests in the
next couple of months, so we already turned it off for HTTPS. I still
need to turn it off in Sendmail, Dovecot and Proftpd, though. But that
will happen prior to the PCI deadline as well.

As for AES128: I'm just considering to throw it out as well (at least
for HTTPS) in the latest overhaul of the ciphers that I'll release
today. There is no reference browser that doesn't support 256 bit AES.
They can all do one form or other of RSA 4096 (SHA256), ECDH secp256r1
with Forwarding Secrecy.

For email it's of course another matter, as email clients do have a much
longer half life than the average browsers. But eventually we'll have to
bite the bullet there as well.

-- 
With best regards

Michael Stauber