[openssl-users] stunnel 5.46 released
Michal Trojnara
Michal.Trojnara at stunnel.org
Thu May 31 04:09:07 UTC 2018
On 30.05.2018 19:12, Viktor Dukhovni wrote:
> So I would disable only kDH, but not DHE. Keep in mind that
> some remote systems will not support EECDH, and by disabling
> DHE, you get only kRSA, which is worse. So I think that
> '!DH' is unwise.
I respectfully disagree. The only practical disadvantage of kRSA is
that it doesn't provide PFS. Losing PFS is bad, but it's not a huge
price for ensuring secure key exchange. Actually, there aren't that
many platforms nowadays that support kDHE and not kECDHE.
Best regards,
Mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180531/1723364b/attachment.sig>
More information about the openssl-users
mailing list