[openssl-users] stunnel 5.46 released
Viktor Dukhovni
openssl-users at dukhovni.org
Mon May 28 23:48:19 UTC 2018
> On May 28, 2018, at 5:27 PM, Michal Trojnara <Michal.Trojnara at stunnel.org> wrote:
>
> - The default cipher list was updated to a safer value:
> "HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK".
I am rather puzzled as to why you chose to eliminate
not just fixed DH, but also the ephemeral finite-field
DH key exchange. What's wrong with the DHE ciphers?
I would have chosen:
HIGH:!aNULL:!kDH:!kECDH:!MD5
which excludes the *fixed* DH/ECDH ciphers and MD5
(and thus also SSLv2). This does not eliminate
ephemeral finite-field DH, not sure why you're doing
that...
--
--
Viktor.
More information about the openssl-users
mailing list