Hi,
Is there a way to specify that cipher ordering should be in charge of the "server", thus the API Gateway, instead of letting the client decide based upon *his* own cipher list ?
We want to force most "secure" cipher based on our RSA certificate (don't use yet ECDSA for technical reasons).
Is this something that could be achieved through "Advanced Properties" in Listen Port configuration ?
Complimentary question: what about OCSP stapling ?
./cipherscan --sigalg --curves xxxx.xxxx.com:8443
....................................................................
Target: xxxx.xxxx.com:8443
prio ciphersuite protocols pfs curves
1 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH,B-571,570bits sect163k1,sect163r2,sect233k1,sect233r1,sect283k1,sect283r1,sect409k1,sect409r1,sect571k1,sect571r1,prime192v1,secp224r1,prime256v1,secp384r1,secp521r1
2 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH,B-571,570bits sect163k1,sect163r2,sect233k1,sect233r1,sect283k1,sect283r1,sect409k1,sect409r1,sect571k1,sect571r1,prime192v1,secp224r1,prime256v1,secp384r1,secp521r1
3 AES256-GCM-SHA384 TLSv1.2 None None
4 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,B-571,570bits sect163k1,sect163r2,sect233k1,sect233r1,sect283k1,sect283r1,sect409k1,sect409r1,sect571k1,sect571r1,prime192v1,secp224r1,prime256v1,secp384r1,secp521r1
5 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,B-571,570bits sect163k1,sect163r2,sect233k1,sect233r1,sect283k1,sect283r1,sect409k1,sect409r1,sect571k1,sect571r1,prime192v1,secp224r1,prime256v1,secp384r1,secp521r1
6 AES128-GCM-SHA256 TLSv1.2 None None
Certificate: trusted, 2048 bits, sha256WithRSAEncryption signature
TLS ticket lifetime hint: None
NPN protocols: None
OCSP stapling: not supported
Cipher ordering: client
Curves ordering: client - fallback: no
Server supports secure renegotiation
Server supported compression methods: NONE
TLSv1.2 ephemeral sigalgs:
no PFS ECDSA ciphers detected
RSA test: intolerant of sigalg removal
Server side sigalg ordering
Supported PFS RSA signature algorithms
prio sigalg
1 SHA256
TLS Tolerance: yes