How can I priorize one SSL3-chiper over the other, without turning off any?
In oder to force some websites to use AES 256 rather than AES 128, or to priorize AES over RC4 or ECDH key exchange over DH, I could edit the appropriate security.ssl3 settings in about:config and just disable the unwanted chipers. However, some sites only support a certain chiper that I might have disabled. So I can't just turn it off. But if I leave it on, again other sites prefer to use low processor load chipers, even if they can handle more secure protocols. For example, I might disable all entries with 128 in it, to force sites to use 256-bit chipers. If I communicate to a site that only supports a 128-bit chiper, I have no encryption at all, unles I turn on whatever it whats, for example AES-128. The problem is, that now some other sites that would have used AES256 now revert to AES128. So I want a solution to priorize all available chiper-protocols, i.e. to put them in order to be taken or chosen. If that does not work, I am looking for a way to allow a certain chiper on a per site basis.
所有回复 (1)
I think the second part of my question is more relevant. I captured traffic with wireshark and looked at the client/server chiper negotiation. If my client provides a list with AES 256 (among others) and without RC4 128, this very site https://support.mozilla.org will choose AES 256. But if I include RC4, the connection will be RC4, even though it is somewhere in the middle of the client's suggestions, not on top. This means each site searches in its own preference order for the cipher to be used, no matter how my client app priorizes them. So now the only question is: Can I exclude and/or include a chiper on a per site basis? - If I was a programmer, that would be a nice add-on, or is there already something like that out there?