Caddy: Changing cipher suites from using - to using _
I'm thinking of changing the way cipher suites are expressed from ECDHE-RSA-AES256-GCM-SHA384 with the hyphen to ECDHE_RSA_AES256_GCM_SHA384 with the underscore. The reasoning is that it's a little easier to read and also highlights the whole thing when you double-click it. Any objections?
(I know other server config formats use the hyphen but it's kind of an eyesore and inconvenient IMO.)
(And yes, this change would be clearly spelled out in the release notes for Caddy 0.9.)
mholt
All 11 comments
FWIW, the one you mentioned is defined as TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 in RFC5289.
You can see the rest of TLS cyphers on IANA's TLS Cipher Suite Registry.
I'd say that if you're going to make a breaking change, you may as well make it IANA compliant :)
mgilbir
on 4 Jun 2016
I don't see a problem :smile:
elcore
on 4 Jun 2016
This page at Mozilla shows how other servers use the hyphen, and I can only imagine that's because hyphens are easier to type. But let's be honest, nobody types out cipher suites manually, they just copy+paste this stuff.
mholt
on 4 Jun 2016
Any reason not to make it silently backwards compatible?
FiloSottile
on 4 Jun 2016
@FiloSottile I guess not. Would we want to support both for a long time though? I feel like there should just be one way to do it to keep it simple.
mholt
on 4 Jun 2016
Not saying to document it, but keeping a small map seems a very small complexity price. Smooth upgrades are one of those magic traits that make a software lovable. Also think the howtos that are already out there, etc.
FiloSottile
on 4 Jun 2016
For a significant number of Caddy users (probably not versed in all things TLS), I think it would be confusing to break Apache(1,2), Nginx(3), and ELB (4) conventions, all of which use OpenSSL format (5). Especially when so many configurations (like the Mozilla generator) use that format as well. Just my $02.
1 http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers
2 https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#table2
3 http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers
4 http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-security-policy-table.html
5 https://www.openssl.org/docs/manmaster/apps/ciphers.html#AES-ciphersuites-from-RFC3268-extending-TLS-v1.0
kennwhite
on 4 Jun 2016
If we allow both, people will discover that the hyphens work and then soon enough both will be floating around the Internet in various guides... potentially being confusing if people mix and match them :confused:
mholt
on 4 Jun 2016
I'd be curious to know how many people are actually customizing their cipher suites with Caddy.
mholt
on 4 Jun 2016
@mholt maybe we should create a poll?
elcore
on 4 Jun 2016
For some reason I am starting to side with Filippo. Amazingly persuasive, that man. :smile:
Although I think I'd just not change it, rather than have it go both ways.
It's too bad it's not the same format as described by IANA and the RFC. Oh well.
mholt
on 4 Jun 2016
Related issues
PhilmacFLy
路
3Comments
xfzka
路
3Comments
crvv
路
3Comments
billop
路
3Comments
la0wei
路
3Comments
Most helpful comment
For some reason I am starting to side with Filippo. Amazingly persuasive, that man. :smile:
Although I think I'd just not change it, rather than have it go both ways.
It's too bad it's not the same format as described by IANA and the RFC. Oh well.