Thanks, Richard. I see the list in help now. There is something that is still confusing though. Shouldn't SSL and TLS have different configs, including their cipher lists? In Global Settings > SSL Configuration, a feature called ssl!ssl3_ciphers is where you configure a list, and the help says these are for SSL, obviously, but apparently TLS on SteelApp uses them too. My TLS1.2 connection to a SteelApp virtual server running HTTPS shows that the cipher I have configured for SSLv3 (there is only one for reasons I'll go into in a moment) is the one it's using. Here's the rub. I need two cipher orders in this post-BEAST and POODLE world, one for TLS and one for SSL. We are trying to retire SSLv3, but for now because of some legacy systems we can't do that for everything. To mitgate the above mentioned vulnerabilities we've disabled all SSL CBC ciphers, which leaves us with RC4. RC4 is weak and it sucks, but we calculate that we're less likely to be hacked for using RC4 than we are using BEAST/POODLE-hackable CBC ciphers. The plan was to use SSL on RC4 and update our legacy services one at a time to TLS. But if I don't have another cipher list for TLS then even though my upgraded services are running TLS I'm still stuck with this old RC4 cipher. The second reason its weird is that IANA-registered TLS ciphers are supposed to start with SSL_ for SSL connections and TLS_ for TLS connections, right? I suppose this way you can create one list and put both kinds in there, hence my original question. TL;DR: Is there a separate cipher list or set of TLS-specific cipher types that I can use in SteelApp to get the full advantages of TLS while limiting my risk with virutal servers that need SSL?
... View more