OpenSSL not honouring cipher selection?

[Headless1919]

@Fright, I went to look into config.xml but it reflects exactly what the GUI shows, so I am not convinced it will function as an override. Will bear it in mind thought, thanks!

@i81b4u, RSA does not offer Perfect Forward Secrecy so I prefer to remove it, but that will work - thanks.

[i81b4u]

@RZR, I think you got things mixed up.

Not talking TLSv1.3 specifics right now, but ...

With RSA-certificates you can achieve PFS. PFS only depends on the key exchange method.

With RSA key exchange a symmetric key is exchanged "over the line" so when someone obtains the private key, traffic can be decrypted when listening in on (or replaying recorded) traffic. When using Diffie-Hellman a symmetric key is "calculated" and never sent "over the line", so it can't be found by listening in on (or replaying recorded) traffic.

Hope that makes sense? 

[Fright]

@RZR

reflects exactly what the GUI shows, so I am not convinced it will function as an override.

i checked )
but the mentioned fixes were not included in the 22.7.3.. so must be 'opnsense-patch'-ed manually

[Headless1919]

@i81b4u - you're right, I am using the term "RSA" too broadly (interchangeably), was referring specifically to KEX. Thanks

@Fright, thanks - I should have clicked. Will check after the next patch/update to see what is there. Appreciated!

[rickyrickk31]

I agree OpenSSL is conforming to the RFC, seen that snippet before. If that is the cause, LibreSSL clearly does not comply when making changes.
get-mobdro.com