[openssl-users] stunnel 5.46 released
Michał Trojnara
Michal.Trojnara at stunnel.org
Wed May 30 16:54:06 UTC 2018
On 05/29/2018 01:48 AM, Viktor Dukhovni wrote:
> I am rather puzzled as to why you chose to eliminate
> not just fixed DH, but also the ephemeral finite-field
> DH key exchange. What's wrong with the DHE ciphers?
Mostly precomputation attacks: https://weakdh.org/logjam.html
Those parameters are "ephemeral", but not really unique for each TLS
session.
They are also quite slow compared to their EC counterparts...
> I would have chosen:
>
> HIGH:!aNULL:!kDH:!kECDH:!MD5
>
> which excludes the *fixed* DH/ECDH ciphers and MD5
> (and thus also SSLv2). This does not eliminate
> ephemeral finite-field DH, not sure why you're doing
> that...
Actually the only MD5 vulnerability is collisions. This may be a threat
for some CAs that use predictable serial numbers, but there are no known
risk for HMACs as used in TLS cipher suites.
Also, excluding kECDH cipher suites sounds like a good idea indeed.
Best regards,
Mike
More information about the openssl-users
mailing list