|
Matthew Harmsen |
2cc8414 |
commit 89211b9915e9c3e034d311ac0fa7091e9e08bde8
|
|
Matthew Harmsen |
2cc8414 |
Author: Christina Fu <cfu@redhat.com>
|
|
Matthew Harmsen |
2cc8414 |
Date: Wed Aug 19 13:52:53 2015 +0200
|
|
Matthew Harmsen |
2cc8414 |
|
|
Matthew Harmsen |
2cc8414 |
Ticket 1566 on HSM, non-CA subystem installations failing while trying to join security domain Investigation shows that this issue occurs when the non-CA subsystem's SSL server and client keys are also on the HSM. While browsers (on soft token) have no issue connecting to any of the subsystems on HSM, subsystem to subsystem communication has issues when the TLS_ECDHE_RSA_* ciphers are turned on. We have decided to turn off the TLS_ECDHE_RSA_* ciphers by default (can be manually turned on if desired) based on the fact that: 1. The tested HSM seems to have issue with them (will still continue to investigate) 2. While the Perfect Forward Secrecy provides added security by the TLS_ECDHE_RSA_* ciphers, each SSL session takes 3 times longer to estabish. 3. The TLS_RSA_* ciphers are adequate at this time for the CS system operations
|
|
Matthew Harmsen |
2cc8414 |
|
|
Matthew Harmsen |
2cc8414 |
diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py
|
|
Matthew Harmsen |
2cc8414 |
index 259e248..09619d5 100644
|
|
Matthew Harmsen |
2cc8414 |
--- a/base/server/python/pki/server/deployment/pkiparser.py
|
|
Matthew Harmsen |
2cc8414 |
+++ b/base/server/python/pki/server/deployment/pkiparser.py
|
|
Matthew Harmsen |
2cc8414 |
@@ -947,7 +947,7 @@ class PKIConfigParser:
|
|
Matthew Harmsen |
2cc8414 |
"+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA," + \
|
|
Matthew Harmsen |
2cc8414 |
"-TLS_RSA_WITH_3DES_EDE_CBC_SHA," + \
|
|
Matthew Harmsen |
2cc8414 |
"-TLS_RSA_WITH_AES_128_CBC_SHA," + \
|
|
Matthew Harmsen |
2cc8414 |
- "-TLS_RSA_WITH_AES_256_CBC_SHA," + \
|
|
Matthew Harmsen |
2cc8414 |
+ "+TLS_RSA_WITH_AES_256_CBC_SHA," + \
|
|
Matthew Harmsen |
2cc8414 |
"+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA," + \
|
|
Matthew Harmsen |
2cc8414 |
"+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA," + \
|
|
Matthew Harmsen |
2cc8414 |
"-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA," + \
|
|
Matthew Harmsen |
2cc8414 |
@@ -963,13 +963,13 @@ class PKIConfigParser:
|
|
Matthew Harmsen |
2cc8414 |
"-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256," + \
|
|
Matthew Harmsen |
2cc8414 |
"-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256," + \
|
|
Matthew Harmsen |
2cc8414 |
"-TLS_RSA_WITH_AES_128_CBC_SHA256," + \
|
|
Matthew Harmsen |
2cc8414 |
- "-TLS_RSA_WITH_AES_256_CBC_SHA256," + \
|
|
Matthew Harmsen |
2cc8414 |
+ "+TLS_RSA_WITH_AES_256_CBC_SHA256," + \
|
|
Matthew Harmsen |
2cc8414 |
"-TLS_RSA_WITH_AES_128_GCM_SHA256," + \
|
|
Matthew Harmsen |
2cc8414 |
"+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256," + \
|
|
Matthew Harmsen |
2cc8414 |
"+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," + \
|
|
Matthew Harmsen |
2cc8414 |
- "+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," + \
|
|
Matthew Harmsen |
2cc8414 |
- "+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256," + \
|
|
Matthew Harmsen |
2cc8414 |
- "+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
|
|
Matthew Harmsen |
2cc8414 |
+ "-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," + \
|
|
Matthew Harmsen |
2cc8414 |
+ "-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256," + \
|
|
Matthew Harmsen |
2cc8414 |
+ "-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
|
|
Matthew Harmsen |
2cc8414 |
else:
|
|
Matthew Harmsen |
2cc8414 |
self.mdict['TOMCAT_SSL_RANGE_CIPHERS_SLOT'] = \
|
|
Matthew Harmsen |
2cc8414 |
"-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA," + \
|
|
Matthew Harmsen |
2cc8414 |
@@ -983,9 +983,9 @@ class PKIConfigParser:
|
|
Matthew Harmsen |
2cc8414 |
"-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA," + \
|
|
Matthew Harmsen |
2cc8414 |
"-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA," + \
|
|
Matthew Harmsen |
2cc8414 |
"-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA," + \
|
|
Matthew Harmsen |
2cc8414 |
- "+TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA," + \
|
|
Matthew Harmsen |
2cc8414 |
- "+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA," + \
|
|
Matthew Harmsen |
2cc8414 |
- "+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," + \
|
|
Matthew Harmsen |
2cc8414 |
+ "-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA," + \
|
|
Matthew Harmsen |
2cc8414 |
+ "-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA," + \
|
|
Matthew Harmsen |
2cc8414 |
+ "-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," + \
|
|
Matthew Harmsen |
2cc8414 |
"-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA," + \
|
|
Matthew Harmsen |
2cc8414 |
"-TLS_DHE_DSS_WITH_AES_128_CBC_SHA," + \
|
|
Matthew Harmsen |
2cc8414 |
"-TLS_DHE_DSS_WITH_AES_256_CBC_SHA," + \
|
|
Matthew Harmsen |
2cc8414 |
@@ -997,9 +997,9 @@ class PKIConfigParser:
|
|
Matthew Harmsen |
2cc8414 |
"-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256," + \
|
|
Matthew Harmsen |
2cc8414 |
"-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256," + \
|
|
Matthew Harmsen |
2cc8414 |
"-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256," + \
|
|
Matthew Harmsen |
2cc8414 |
- "+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256," + \
|
|
Matthew Harmsen |
2cc8414 |
+ "-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256," + \
|
|
Matthew Harmsen |
2cc8414 |
"-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," + \
|
|
Matthew Harmsen |
2cc8414 |
- "+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256," + \
|
|
Matthew Harmsen |
2cc8414 |
+ "-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256," + \
|
|
Matthew Harmsen |
2cc8414 |
"-TLS_RSA_WITH_AES_128_CBC_SHA256," + \
|
|
Matthew Harmsen |
2cc8414 |
"-TLS_RSA_WITH_AES_256_CBC_SHA256," + \
|
|
Matthew Harmsen |
2cc8414 |
"-TLS_RSA_WITH_AES_128_GCM_SHA256," + \
|
|
Matthew Harmsen |
2cc8414 |
diff --git a/base/server/share/conf/ciphers.info b/base/server/share/conf/ciphers.info
|
|
Matthew Harmsen |
2cc8414 |
index 998c51e..69aaeaa 100644
|
|
Matthew Harmsen |
2cc8414 |
--- a/base/server/share/conf/ciphers.info
|
|
Matthew Harmsen |
2cc8414 |
+++ b/base/server/share/conf/ciphers.info
|
|
Matthew Harmsen |
2cc8414 |
@@ -27,10 +27,20 @@
|
|
Matthew Harmsen |
2cc8414 |
# TLS_RSA_WITH_AES_128_CBC_SHA256,
|
|
Matthew Harmsen |
2cc8414 |
# TLS_RSA_WITH_AES_256_CBC_SHA256,
|
|
Matthew Harmsen |
2cc8414 |
# TLS_RSA_WITH_AES_128_GCM_SHA256,
|
|
Matthew Harmsen |
2cc8414 |
-# TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
|
Matthew Harmsen |
2cc8414 |
# TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
|
|
Matthew Harmsen |
2cc8414 |
-# TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
|
|
Matthew Harmsen |
2cc8414 |
# TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
|
|
Matthew Harmsen |
2cc8414 |
+# The TLS_ECDHE_RSA_* ciphers provide Perfect Forward Secrecy,
|
|
Matthew Harmsen |
2cc8414 |
+# which, while provide added security to the already secure and adequate
|
|
Matthew Harmsen |
2cc8414 |
+# TLS_RSA_* ciphers, requries 3 times longer to establish SSL sessions.
|
|
Matthew Harmsen |
2cc8414 |
+# In our testing environment, some HSM might also have issues providing
|
|
Matthew Harmsen |
2cc8414 |
+# subsystem->subsystem SSL handshake. We are therefore turning them
|
|
Matthew Harmsen |
2cc8414 |
+# off by default. One can enable them manually by turning the "-" to
|
|
Matthew Harmsen |
2cc8414 |
+# "+" under sslRangeCiphers and restart the subsystem.
|
|
Matthew Harmsen |
2cc8414 |
+# TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
|
Matthew Harmsen |
2cc8414 |
+# TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
|
|
Matthew Harmsen |
2cc8414 |
+# TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
|
|
Matthew Harmsen |
2cc8414 |
+# TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
|
|
Matthew Harmsen |
2cc8414 |
+# TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
|
|
Matthew Harmsen |
2cc8414 |
# The following ciphers are supported in rhel7.2 or greater, and they
|
|
Matthew Harmsen |
2cc8414 |
# are off by default, and can be turned on by sites running rhel7.2 or
|
|
Matthew Harmsen |
2cc8414 |
# greater:
|
|
Matthew Harmsen |
2cc8414 |
@@ -45,22 +55,20 @@
|
|
Matthew Harmsen |
2cc8414 |
# TLS_RSA_WITH_3DES_EDE_CBC_SHA,
|
|
Matthew Harmsen |
2cc8414 |
# TLS_RSA_WITH_AES_128_CBC_SHA,
|
|
Matthew Harmsen |
2cc8414 |
# TLS_RSA_WITH_AES_256_CBC_SHA,
|
|
Matthew Harmsen |
2cc8414 |
-# TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
|
|
Matthew Harmsen |
2cc8414 |
# Note: In an EC CS server setup, you will see by default that the
|
|
Matthew Harmsen |
2cc8414 |
# following RSA ciphers are left on. Those are used for installation
|
|
Matthew Harmsen |
2cc8414 |
# where the actual systems certs have not yet been crated, and a
|
|
Matthew Harmsen |
2cc8414 |
# temporary RSA ssl server cert is at play.
|
|
Matthew Harmsen |
2cc8414 |
# Those can be turned off manually by sites.
|
|
Matthew Harmsen |
2cc8414 |
-# TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
|
|
Matthew Harmsen |
2cc8414 |
-# TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
|
|
Matthew Harmsen |
2cc8414 |
-# TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
|
Matthew Harmsen |
2cc8414 |
+# TLS_RSA_WITH_AES_256_CBC_SHA256,
|
|
Matthew Harmsen |
2cc8414 |
+# TLS_RSA_WITH_AES_128_GCM_SHA256
|
|
Matthew Harmsen |
2cc8414 |
# These ciphers might be removed by the installation script in some
|
|
Matthew Harmsen |
2cc8414 |
# future release.
|
|
Matthew Harmsen |
2cc8414 |
#
|
|
Matthew Harmsen |
2cc8414 |
##
|
|
Matthew Harmsen |
2cc8414 |
# For RSA servers:
|
|
Matthew Harmsen |
2cc8414 |
- sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,+TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,-TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA"
|
|
Matthew Harmsen |
2cc8414 |
+ sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,-TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA"
|
|
Matthew Harmsen |
2cc8414 |
#
|
|
Matthew Harmsen |
2cc8414 |
#
|
|
Matthew Harmsen |
2cc8414 |
# For ECC servers:
|
|
Matthew Harmsen |
2cc8414 |
- sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_RSA_WITH_AES_128_CBC_SHA,-TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,-TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
|
|
Matthew Harmsen |
2cc8414 |
+ sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
|