Is there a document that list of supported TLS ciphers on SNAP-PACs? I recently updated a reverse proxy I use for a web service (caddy) and now I am getting TLS handshake errors from the PAC. -2103 error on the PAC and the web server reports: “tls: no cipher suite supported by both client and server”. All the RSA and all the CBC ciphers appear to have been declared weak and deprecated.
Okay thanks. I was able to check what ciphers were available when SNAP PAC has REST enabled. Maybe they are the same when running as a client.
Here they are:
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_DES_CBC_SHA
The LetsEncrypt certificate on my new server used a ECDSA key and not an RSA key. ECDSA keys are the default for Caddy. I changed the configuration to request a cert with an RSA key and then the PAC was able to negotiate again.
Feature request - update the PACs to support ECDSA keyed certs. (IE11 supports it, gasp)