[openssl-dev] 3DES is a HIGH-strength cipher?
Short, Todd
tshort at akamai.com
Fri Feb 12 20:52:16 UTC 2016
So, if it’s “mandatory”, then it should be in the default set of ciphers, not necessarily the “HIGH” set.
I’m selecting “HIGH” because I want 128-bit+ ciphers, not a cipher that that has subsequently found to be weaker than previously thought.
--
-Todd Short
// tshort at akamai.com<mailto:tshort at akamai.com>
// "One if by land, two if by sea, three if by the Internet."
On Feb 12, 2016, at 3:36 PM, Viktor Dukhovni <openssl-users at dukhovni.org<mailto:openssl-users at dukhovni.org>> wrote:
On Feb 12, 2016, at 3:15 PM, Salz, Rich <rsalz at akamai.com<mailto:rsalz at akamai.com>> wrote:
So is RC4 and we don't see that as HIGH. HIGH implies strength, not MTI-ness.
Now let's not make stuff up:
http://tools.ietf.org/html/rfc5246#section-9
9. Mandatory Cipher Suites
In the absence of an application profile standard specifying
otherwise, a TLS-compliant application MUST implement the cipher
suite TLS_RSA_WITH_AES_128_CBC_SHA (see Appendix A.5 for the
definition).
http://tools.ietf.org/html/rfc4346#section-9
9. Mandatory Cipher Suites
In the absence of an application profile standard specifying
otherwise, a TLS compliant application MUST implement the cipher
suite TLS_RSA_WITH_3DES_EDE_CBC_SHA.
http://tools.ietf.org/html/rfc2246#section-9
9. Mandatory Cipher Suites
In the absence of an application profile standard specifying
otherwise, a TLS compliant application MUST implement the cipher
suite TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA.
Since many users enable just HIGH ciphers, they must not exclude the MTI
ciphers.
--
--
Viktor.
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160212/dd137433/attachment-0001.html>
More information about the openssl-dev
mailing list