[openssl-users] [openssl-dev] Replacing RFC2712 (was Re: Kerberos)

Viktor Dukhovni openssl-users at dukhovni.org
Mon May 11 16:42:49 UTC 2015


On Mon, May 11, 2015 at 11:25:33AM -0500, Nico Williams wrote:

>  - If you don't want to depend on server certs, use anon-(EC)DH
>    ciphersuites.
> 
>    Clients and servers must reject[*] TLS connections using such a
>    ciphersuite but not using a GSS-authenticated application protocol.

[*] Except when employing unauthenticated encrypted communication
to mitigate passive monitoring (oportunistic security).

-- 
	Viktor.


More information about the openssl-users mailing list