AES128 is preferred as the default cipher Posted on Apr 20, 2017 12:18 -0400
Shortly after we started offering service we had a few customers comment that our SSL speeds were a bit slower than their last provider. After researching the cause we noticed that a lot of providers default for much lower encryption (RC4-MD5) than we were using (AES256). Most people would agree that AES256 is a bit overkill for NNTPS, so we decided to lower our default cipher to AES128. After a few changes to our front-end server code we added the ability to offer the available ciphers by preference.
Current cipher list in order of preference:
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_RC4_128_SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
As you can see, we still fully support AES256. Changing the default cipher will speed up our SSL connections and customers wanting AES256 can still select that by configuring their usenet client to request the stronger cipher. Should be a win/win for everyone!