On 05/29/2018 01:48 AM, Viktor Dukhovni wrote: > I am rather puzzled as to why you chose to eliminate > not just fixed DH, but also the ephemeral finite-field > DH key exchange. What's wrong with the DHE ciphers? Mostly precomputation attacks: https://weakdh.org/logjam.html Those parameters are "ephemeral", but not really unique for each TLS session. They are also quite slow compared to their EC counterparts... > I would have chosen: > > HIGH:!aNULL:!kDH:!kECDH:!MD5 > > which excludes the *fixed* DH/ECDH ciphers and MD5 > (and thus also SSLv2). This does not eliminate > ephemeral finite-field DH, not sure why you're doing > that... Actually the only MD5 vulnerability is collisions. This may be a threat for some CAs that use predictable serial numbers, but there are no known risk for HMACs as used in TLS cipher suites. Also, excluding kECDH cipher suites sounds like a good idea indeed. Best regards, Mike -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
