On 10/19/2016 01:54 PM, m.roth@xxxxxxxxx wrote:
Alice Wonder wrote:
On 10/19/2016 11:34 AM, Leonard den Ottolander wrote:
Hello Gordon,
*snip*
Personally I would be more concerned whether or not to enable ECDSA
algorithms (https://blog.cr.yp.to/20140323-ecdsa.html).
For web server ECDSA certs is currently a concern because the only
curves with popular support across browsers have parameters that were
chosen for undocumented reasons.
That doesn't mean they are vulnerable but there is a question.
OpenSSH uses Curve25519 for ECDSA which has documented reasons for the
parameters chosen and thus are far less likely to be nefariously chosen.
At least that's my understanding of the situation, which could be flawed.
Oh, are those the ones with the NSA backdoor curve?
Allegedly they might.
I use ecdsa certs on most of my websites, using secp384r1
I formerly used secp521r1 but suddenly Google with no warning stopped
supporting it in chrome. That company is too powerful.
The only other option (that has both browser and CA support) is prime256v1
Hopefully soon we will get a better option.
I don't believe it is an issue with OpenSSH though.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
