search for: tls_dhe_rsa_with_aes_256_cbc_sha

...as anyone else experienced a degraded symmetric key exchange when using FF-31 vice FF24? When I use FF24 then I get a symmetric type of AES-256 (Very Strong) rating in Calomel 0.62. When I switch to FF31 and connect to exactly the same server host and url then in Calomel 0.62 I see this instead: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (Very Weak). I am not altering any of the configuration options in FF between version trials. -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive...

...TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023) ? ? ? ? ? ? ? ? Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) ? ? ? ? ? ? ? ? Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c) ? ? ? ? ? ? ? ? Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) ? ? ? ? ? ? ? ? Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b) ? ? ? ? ? ? ? ? Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) ? ? ? ? ? ? ? ? Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067) ? ? ? ? ? ? ? ? Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) ? ? ? ? ? ? ? ? Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA...

...but where disabling the protocol takes precedence. If I just do: ssl_protocols = !SSLv2 !SSLv3 I still get some ciphers that show up as "weak", e.g., | SSLv3: | ciphers: | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_DHE_RSA_WITH_DES_CBC_SHA - weak [....] | TLS_RSA_WITH_DES_CBC_SHA - weak Is there a way to exclude these ciphers, while still keeping my config easy to parse and avoiding duplicative or deprecated configs? The behavior is also pretty strange; if I have something like on...