On Mon, Dec 24, 2018 at 12:51:17PM +0100, Christian wrote: > This sounds like a typical RSA scenario, however I also want to have > forward security, which requires me to use something with temporary keys > only - I'm having ECDHE in mind for that, ECDHE-RSA-AES128-GCM-SHA256 in > particular. However, after some research I found out that the "RSA" in > that cipher only refers to the temporary keys that are being generated > for this connection, and thus authentication would have to be issued on > top of TLS, not within the means of TLS itself. Your research has led you astray. The ECDHE-RSA-AES128-GCM-SHA25 ciphersuiteo *is* RSA authenticated and offers forward secrecy, the same is true also of its 256-bit twin: $ openssl ciphers -v kECDHE+AESGCM+aRSA | sed 's/ */ /g' ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD they are both quite strong, use 128-bit to optimize for speed or 256-bit against hypothetical attacks on 128-bit AES that don't break AES-256. These ciphers are for TLS 1.2. With OpenSSL 1.1.1 you might also consider TLS 1.3 ciphers, where the public algorithm is negotiated separately, TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD and you could use Ed25519 certificates and/or X25519 key exchange. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users