diff --git a/sys/src/libsec/port/tlshand.c b/sys/src/libsec/port/tlshand.c
index 3a190c96a..32d5e0f5b 100644
--- a/sys/src/libsec/port/tlshand.c
+++ b/sys/src/libsec/port/tlshand.c
@@ -253,8 +253,7 @@ enum {
 	TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA	= 0X0019,
 	TLS_DH_anon_WITH_DES_CBC_SHA		= 0X001A,
 	TLS_DH_anon_WITH_3DES_EDE_CBC_SHA	= 0X001B,
-
-	TLS_RSA_WITH_AES_128_CBC_SHA		= 0X002f,	// aes, aka rijndael with 128 bit blocks
+	TLS_RSA_WITH_AES_128_CBC_SHA		= 0X002F,	// aes, aka rijndael with 128 bit blocks
 	TLS_DH_DSS_WITH_AES_128_CBC_SHA		= 0X0030,
 	TLS_DH_RSA_WITH_AES_128_CBC_SHA		= 0X0031,
 	TLS_DHE_DSS_WITH_AES_128_CBC_SHA	= 0X0032,
@@ -266,15 +265,14 @@ enum {
 	TLS_DHE_DSS_WITH_AES_256_CBC_SHA	= 0X0038,
 	TLS_DHE_RSA_WITH_AES_256_CBC_SHA	= 0X0039,
 	TLS_DH_anon_WITH_AES_256_CBC_SHA	= 0X003A,
-
 	TLS_RSA_WITH_AES_128_CBC_SHA256		= 0X003C,
 	TLS_RSA_WITH_AES_256_CBC_SHA256		= 0X003D,
-
-	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA	= 0xC013,
-	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA	= 0xC014,
-	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA	= 0xC009,
-	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA	= 0xC00A,
-	CipherMax
+	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA	= 0XC009,
+	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA	= 0XC00A,
+	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA	= 0XC013,
+	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA	= 0XC014,
+	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256	= 0XC023,
+	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256	= 0xC027,
 };
 
 // compression methods
@@ -284,8 +282,10 @@ enum {
 };
 
 static Algs cipherAlgs[] = {
+	{"aes_128_cbc", "sha256", 2*(16+16+SHA2_256dlen), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256},
 	{"aes_128_cbc", "sha1", 2*(16+16+SHA1dlen), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA},
 	{"aes_256_cbc", "sha1", 2*(32+16+SHA1dlen), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA},
+	{"aes_128_cbc", "sha256", 2*(16+16+SHA2_256dlen), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256},
 	{"aes_128_cbc", "sha1", 2*(16+16+SHA1dlen), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
 	{"aes_256_cbc", "sha1", 2*(32+16+SHA1dlen), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA},
 	{"aes_128_cbc", "sha1", 2*(16+16+SHA1dlen), TLS_DHE_RSA_WITH_AES_128_CBC_SHA},
@@ -802,8 +802,10 @@ static int
 isECDHE(int tlsid)
 {
 	switch(tlsid){
+	case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:
 	case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:
 	case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:
+	case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:
 	case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA:
 	case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA:
 		return 1;
@@ -2026,36 +2028,36 @@ tlsConnectionFree(TlsConnection *c)
 
 //================= cipher choices ========================
 
-static int weakCipher[CipherMax] =
+static int weakCipher[] =
 {
-	1,	/* TLS_NULL_WITH_NULL_NULL */
-	1,	/* TLS_RSA_WITH_NULL_MD5 */
-	1,	/* TLS_RSA_WITH_NULL_SHA */
-	1,	/* TLS_RSA_EXPORT_WITH_RC4_40_MD5 */
-	0,	/* TLS_RSA_WITH_RC4_128_MD5 */
-	0,	/* TLS_RSA_WITH_RC4_128_SHA */
-	1,	/* TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 */
-	0,	/* TLS_RSA_WITH_IDEA_CBC_SHA */
-	1,	/* TLS_RSA_EXPORT_WITH_DES40_CBC_SHA */
-	0,	/* TLS_RSA_WITH_DES_CBC_SHA */
-	0,	/* TLS_RSA_WITH_3DES_EDE_CBC_SHA */
-	1,	/* TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA */
-	0,	/* TLS_DH_DSS_WITH_DES_CBC_SHA */
-	0,	/* TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA */
-	1,	/* TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA */
-	0,	/* TLS_DH_RSA_WITH_DES_CBC_SHA */
-	0,	/* TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA */
-	1,	/* TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA */
-	0,	/* TLS_DHE_DSS_WITH_DES_CBC_SHA */
-	0,	/* TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA */
-	1,	/* TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA */
-	0,	/* TLS_DHE_RSA_WITH_DES_CBC_SHA */
-	0,	/* TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA */
-	1,	/* TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 */
-	1,	/* TLS_DH_anon_WITH_RC4_128_MD5 */
-	1,	/* TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA */
-	1,	/* TLS_DH_anon_WITH_DES_CBC_SHA */
-	1,	/* TLS_DH_anon_WITH_3DES_EDE_CBC_SHA */
+[TLS_NULL_WITH_NULL_NULL]		1,
+[TLS_RSA_WITH_NULL_MD5]			1,
+[TLS_RSA_WITH_NULL_SHA]			1,
+[TLS_RSA_EXPORT_WITH_RC4_40_MD5]	1,
+[TLS_RSA_WITH_RC4_128_MD5]		0,
+[TLS_RSA_WITH_RC4_128_SHA]		0,
+[TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5]	1,
+[TLS_RSA_WITH_IDEA_CBC_SHA]		0,
+[TLS_RSA_EXPORT_WITH_DES40_CBC_SHA]	1,
+[TLS_RSA_WITH_DES_CBC_SHA]		0,
+[TLS_RSA_WITH_3DES_EDE_CBC_SHA]		0,
+[TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA]	1,
+[TLS_DH_DSS_WITH_DES_CBC_SHA]		0,
+[TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA]	0,
+[TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA]	1,
+[TLS_DH_RSA_WITH_DES_CBC_SHA]		0,
+[TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA]	0,
+[TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]	1,
+[TLS_DHE_DSS_WITH_DES_CBC_SHA]		0,
+[TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA]	0,
+[TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA]	1,
+[TLS_DHE_RSA_WITH_DES_CBC_SHA]		0,
+[TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA]	0,
+[TLS_DH_anon_EXPORT_WITH_RC4_40_MD5]	1,
+[TLS_DH_anon_WITH_RC4_128_MD5]		1,
+[TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA]	1,
+[TLS_DH_anon_WITH_DES_CBC_SHA]		1,
+[TLS_DH_anon_WITH_3DES_EDE_CBC_SHA]	1,
 };
 
 static int
@@ -2085,7 +2087,7 @@ okCipher(Ints *cv)
 	weak = 1;
 	for(i = 0; i < cv->len; i++) {
 		c = cv->data[i];
-		if(c >= CipherMax)
+		if(c >= nelem(weakCipher))
 			weak = 0;
 		else
 			weak &= weakCipher[c];