Sisyphus is something a role model to the ssl industry, and i have since gone from an a- to a b (my blog) in ssl configurations after that apache and openssl issues debacle .
I fixed the minus issue on rc4 with :-ARCFOUR-128 in gnutls (my blog) and that got up me to my old a-, I cant do pfs as that is a software issue in debian stable, the cli thinks its ok, but the apache module tells me to piss off.
Part of that is me and debian stable using an ancient mod-gnutls version which bitches like hell on pfs, anyhow the good news is the zoo is poodle proof but the sha1 signing hashing by the ca literally lets the side down.
So that means reissuing. Being nice i wont think of government conspiracies (my blog) that both reissue and weak ciphers only now being grudgingly rolled out by those persons. Although it looks like tls is broken
I dont think i will upgrade to sha2 until the certificate expires in 19 months time. Then i join Sisyphus in rolling that ball up that hill once again.
He might have some new stories for me. Perhaps about dogs?