I have a piece of hardware with an outdated list of default cipher suites. We update that list via configuration, but to get the configuration it first needs to talk to a provisioning server.
I've done a packet capture of the handshake, and the most secure ciphersuite that is supported in the default configuration is TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
. Knowing that ECDH key exchange is not advised due to lack of forward secrecy, I want to enable it nevertheless. But, I don't see this entry listed in the output from openssl ciphers
and Nginx ignores my attempts to enable it in config.
My environment is Nginx 1.20 built with OpenSSL 3.0.7 running on Alma Linux 9.3. I have already tried update-crypto-policies --set LEGACY
with no luck.
Is there any way to enable this ciphersuite? Is it so dangerously weak that it's been completely removed even from the LEGACY crypto policy (which still allows things like TLS_RSA_PSK_WITH_AES_128_CBC_SHA
)?