Am 26.08.2013 13:26, schrieb Jan-Frode Myklebust: > On Mon, Aug 26, 2013 at 11:07:29AM +0200, Florian Weimer wrote: >> On 08/24/2013 11:38 AM, Reindl Harald wrote: >>> https://bugzilla.redhat.com/show_bug.cgi?id=319901 >>> >>> looks like Redhat based systems are the only remaining >>> which does not support EECDHE which is a shame these >>> days in context of PRISM and more and more Ciphers >>> are going to be unuseable (BEAST/CRIME weakness) >> >> Current Fedora supports perfect forward secrecy just fine. > > Just fine -- assuming one ignores the 4-5x performance penalty of DH (vs. > non-PFS/ECDHE), and also ignore IE and Safari as clients? in fact Safari is nearly the *one and only* client using PFS on a Fedora Server - expect you configure ciphers in a way BEAST attack becomes a vector and you are failing *any* security audit because of this besides this *you are unable* to use FPS if you connect to Google/Facebook with your webbrowser as well for SMTP-STARTTLS because they use ECDHE and *not* DHE so in the real world saying "Fedora supports perfect forward secrecy just fine" is somehow clueless even if someone is now saying that i am unpolite again but that is the truth and whoever states that this is not true has to prove it https://www.ssllabs.com/ssltest/ i wasted *6 hours* of my lifetime coming to the result it is not possible with Fedora _________________________________________________________ actually these clients are the only using DHE and without FF/MSIE/Opera you can say practiacally *nobody* is using it Chrome 29 / Win 7 TLS 1.2 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) FS OpenSSL 1.0.1e TLS 1.2 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) FS Safari 6 / iOS 6.0.1 TLS 1.2 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) FS Safari 7 / OS X 10.9 TLS 1.2 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) FS _________________________________________________________ Handshake Simulation Chrome 29 / Win 7 TLS 1.2 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) FS 256 Firefox 10.0.12 ESR / Win 7 TLS 1.0 SSL_RSA_WITH_RC4_128_SHA (0x5) No FS 128 Firefox 17.0.7 ESR / Win 7 TLS 1.0 SSL_RSA_WITH_RC4_128_SHA (0x5) No FS 128 Firefox 21 / Fedora 19 TLS 1.0 SSL_RSA_WITH_RC4_128_SHA (0x5) No FS 128 Firefox 22 / Win 7 TLS 1.0 SSL_RSA_WITH_RC4_128_SHA (0x5) No FS 128 IE 6 / XP No FS * Fail** IE 7 / Vista TLS 1.0 SSL_RSA_WITH_RC4_128_SHA (0x5) No FS 128 IE 8 / XP No FS * TLS 1.0 SSL_RSA_WITH_RC4_128_SHA (0x5) No FS 128 IE 8-10 / Win 7 TLS 1.0 SSL_RSA_WITH_RC4_128_SHA (0x5) No FS 128 IE 11 / Win 8.1 TLS 1.2 TLS_RSA_WITH_AES_256_CBC_SHA (0x35) No FS 256 Java 6u45 TLS 1.0 SSL_RSA_WITH_RC4_128_SHA (0x5) No FS 128 Java 7u25 TLS 1.0 SSL_RSA_WITH_RC4_128_SHA (0x5) No FS 128 OpenSSL 0.9.8y TLS 1.0 SSL_RSA_WITH_RC4_128_SHA (0x5) No FS 128 OpenSSL 1.0.1e TLS 1.2 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) FS 256 Opera 12.15 / Win 7 TLS 1.0 SSL_RSA_WITH_RC4_128_SHA (0x5) No FS 128 Opera 15 / Win 7 TLS 1.1 SSL_RSA_WITH_RC4_128_SHA (0x5) No FS 128 Safari 5.1.9 / OS X 10.6.8 TLS 1.0 SSL_RSA_WITH_RC4_128_SHA (0x5) No FS 128 Safari 6 / iOS 6.0.1 TLS 1.2 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) FS 256 Safari 6.0.4 / OS X 10.8.4 TLS 1.0 SSL_RSA_WITH_RC4_128_SHA (0x5) No FS 128 Safari 7 / OS X 10.9 TLS 1.2 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) FS
Attachment:
signature.asc
Description: OpenPGP digital signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
