Am Donnerstag, 13. Februar 2014 17:32:25 UTC+1 schrieb Aaron Zauner: [...] > I've patched some parts of the code to explicitly exclude anything else > than TLSv1.2 and use a sane default cipher string loaded from a > configuration file. Dear Aaron, I'd love to have this patch - I recently scanned my machines and found the weak ciphers in nrpe, too. Since I'm not too versed in openssl usage, I just replaced the SSL_CTX_set_cipher_list(ctx,"ADH"); with the ciphers I = also use in Apache, i.e. SSL_CTX_set_cipher_list(ctx,"ECDH+AESGCM:DH+AESGCM= :ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+= AES:RSA+3DES:!aNULL:!MD5:!DSS"); .... but this was obviously wrong, since I only get "could not complete SSL = handshake" then (I guess it's because those ciphers require a cert or somet= hing). So, to cut it short: are your changes available somewhere? Can I have them? Thanks and regards, Torsten