[TriLUG] supporting legacy SSL ciphers

John Franklin via TriLUG trilug at trilug.org
Mon Nov 30 10:44:30 EST 2020


On Nov 30, 2020, at 10:19, William Sutton via TriLUG <trilug at trilug.org> wrote:
> 
> On Fri, 27 Nov 2020, Alan Porter via TriLUG wrote:
> 
>> 
>> Do you think there is a way I can compile openssl with at least one of the acceptable ciphers?  And if I do, will NGINX use them to negotiate an HTTPS connection?
>> 
> I figured I would have seen a response by now.
> 
> Any reason you can't use Apache?
> 

I was going to suggest something similar — Varnish or Traffic Server (http://trafficserver.apache.org/downloads <http://trafficserver.apache.org/downloads>) or some other lightweight proxy up front.  Note: no idea if any of them will accept really old SSL connections, or if you’ll have to recompile OpenSSL or GnuTLS first to make it work.

The next issue you’re going to run into … root certs.  What root certs do the ovens have, and will they accept expired certs or unknown CAs?

jf
-- 
John Franklin
franklin at elfie.org


More information about the TriLUG mailing list