On Tue, 2014-05-06 at 07:42 -0400, Hubert Kario wrote: > Sorry, but how does that force a plaintext session? You try to connect to an https site. It doesn't work and an error message is issued that no common ciphers were found. The only thing that you can try as user is fall back to http. > There's no plaintext fallback for HTTP. I agree there is no automatic fallback, but there will be manual fallback by the users. > And applications which use opportunistic encryption shouldn't use default > cipher order anyway (as default won't ever have anonymous DH). You don't need anonymous DH for opportunistic encryption, and most likely you don't want it either. With anonymous DH (and current implementations) you cannot achieve key continuity, which is the ingredient that makes opportunistic encryption worthwhile. regards, Nikos -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
