Hi,
Thank you for the clarifications.
Regards,
Sanjaya
Sanjaya
On Fri, Jun 8, 2018 at 4:30 PM, Jakob Bohm <jb-openssl@xxxxxxxxxx> wrote:
(Top posting for consistency).
Once the client receives the TLS1.2 servers choice of DH group,
it can either accept it or abort the connection.
However if both client and server support the "supported_groups"
extension (RFC4492) with the additional DH group identifiers in
RFC7919, they can negotiate a common accepted group of desired
strength, though the mechanism (like TLS1.3) is artificially
limited to a fixed set of groups listed in the RFC.
On 08/06/2018 12:15, Sanjaya Joshi wrote:
Hello,
Thank you Matt and Jordan. So, it seems that it's possible to modify my client to accept/reject the DH group key length. But i have one more issue to be clarified.
Is it possible that if a client does not accept the DH group key length used by the server, then, a different possible cipher (for e.g., RSA) is tried to be negotiated. It seems that the connection is rejected, instead of falling back to a different possible cipher. At least, i tested this quickly using s_client and s_server, and the behavior is as stated above, i.e., no fallback and connection was terminated. Is this the default OpenSSL behavior or this behaviour could be modified somehow by applications ?
Regards,
Sanjaya
On Thu, Jun 7, 2018 at 8:43 PM, Matt Caswell <matt@xxxxxxxxxxx <mailto:matt@xxxxxxxxxxx>> wrote:
On 07/06/18 16:02, Jordan Brown wrote:
> I do not understand, however, how the 80 relates to a 1024-bit
limit.
It's a measure of the "security bits" of an algorithm according to
table
2 in this doc:
https://nvlpubs.nist.gov/nistpubs/specialpublications/nist. sp.800-57pt1r4.pdf
<https://nvlpubs.nist.gov/nistpubs/specialpublications/nist. >sp.800-57pt1r4.pdf
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users