[openssl-dev] Circumstances cause CBC often to be preferred over GCM modes
Hanno Böck
hanno at hboeck.de
Tue Dec 16 14:38:01 UTC 2014
On Tue, 16 Dec 2014 15:14:13 +0100
Hubert Kario <hkario at redhat.com> wrote:
> No, this is problem with OpenSSL cipher order - it prefers key size
> over other factors - it should prefer AEAD and PFS ciphers before
> ordering on key size, doubly so that in practice you can't get
> anywhere near 256 bit level of security using TLS.
Agreed, this is one of the things I think that should happen.
I got a reply on the chromium list that this is already so in
boringssl. Code is in ssl/ssl_ciph.c
If there is consensus that this should be ported I would try to isolate
the neccessary patches from boringssl and submit them.
--
Hanno Böck
http://hboeck.de/
mail/jabber: hanno at hboeck.de
GPG: BBB51E42
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://mta.opensslfoundation.net/pipermail/openssl-dev/attachments/20141216/f52a9353/attachment.sig>
More information about the openssl-dev
mailing list