sfs8 pt1

Fri, 26 Sep 2008 20:08:42 +0100

Dave Howe wrote:
> Charles Lindsey wrote:
>> Well, in that case, I would regard it as the server's fault, since it
>> ought to consider all of the offerings and choose the most secure,
>> according to some internal ranking which it should have.
> 
> Sure. when I get time, I will see if the server can be configured to do
> that, but I will *still* note that it is set to work this way "out of
> the box" so there are probably quite a few apache servers out there not
> quite as secure as their owners think...

I was unable to get apache to accept DHE preferentially - in fact, the
only way I could get it to accept it at all for IE was to restrict the
list to *just* DHE schemes.

However, it appears I am the only one who considers this a bad thing.
note the following:

http://www.novell.com/communities/node/1606/decrypting+ssl+traffic+troubleshoot+nam

and that it appears to believe this behaviour is so desirable it gives
instructions on making firefox behave in the same way...