[openssl-users] Authentication over ECDHE
Christian
c.wehrmeyer at freshlions.de
Mon Dec 24 15:25:54 UTC 2018
> Your research has led you astray. The ECDHE-RSA-AES128-GCM-SHA25
> ciphersuiteo *is* RSA authenticated and offers forward secrecy,
Then how would I load my static RSA keys into my SSL_CTX? Simply by
using SSL_CTX_use_PrivateKey_file on client and server? As far as I
understand the mechanism that would only enable encryption, but not
decryption.
> they are both quite strong, use 128-bit to optimize for speed or
> 256-bit against hypothetical attacks on 128-bit AES that don't break
> AES-256.
Actually, I've been told that AES256 is weaker than AES128 in theory,
and have been discouraged to use it.
> and you could use Ed25519 certificates and/or X25519 key exchange.
I said I'd like to avoid using any certificates. I don't see the point
of them if I'm going to use static keys anyways. And certificates, from
my limited understanding, only establish external trust anyways. I want
direct trust.
More information about the openssl-users
mailing list