Make openssl refrain from DH altogether

As various ssl implementations have different ideas about
which dh key lengths are acceptable, refrain from standard
dh altogether (and not only from anonymous dh) to avoid
handshake problems.

Signed-off-by: Klaus Aehlig <aehlig@google.com>
Reviewed-by: Helga Velroyen <helgav@google.com>

diff --git a/src/Ganeti/Constants.hs b/src/Ganeti/Constants.hs
index 7d04720..a0d62de 100644 (file)
--- a/src/Ganeti/Constants.hs
+++ b/src/Ganeti/Constants.hs
@@ -562,7 +562,7 @@ rsaKeyBits = 2048
 -- after it's been removed. Use the "openssl" utility to check the
 -- allowed ciphers, e.g.  "openssl ciphers -v HIGH:-DES".
 opensslCiphers :: String
-opensslCiphers = "HIGH:-DES:-3DES:-EXPORT:-ADH"
+opensslCiphers = "HIGH:-DES:-3DES:-EXPORT:-DH"
 
 -- * X509