[openssl-dev] 3DES is a HIGH-strength cipher?
Blumenthal, Uri - 0553 - MITLL
uri at ll.mit.edu
Fri Feb 12 21:04:28 UTC 2016
> So, if it’s “mandatory”, then it should be in the default set of ciphers, not
> necessarily the “HIGH” set.
>
> I’m selecting “HIGH” because I want 128-bit+ ciphers, not a cipher that that
> has subsequently found to be weaker than previously thought.
I used to think that MTI doesn’t mean “Mandatory To Offer”. My codebase must
have it, but my server (and/or client) configuration may explicitly forbid
it. Is there anything wrong with this view?
> --
> -Todd Short
> // tshort at akamai.com
> // "One if by land, two if by sea, three if by the Internet."
>
>> On Feb 12, 2016, at 3:36 PM, Viktor Dukhovni <openssl-users at dukhovni.org>
>> wrote:
>>
>>
>>> On Feb 12, 2016, at 3:15 PM, Salz, Rich <rsalz at akamai.com> wrote:
>>>
>>> So is RC4 and we don't see that as HIGH. HIGH implies strength, not
>>> MTI-ness.
>>
>> Now let's not make stuff up:
>>
>> http://tools.ietf.org/html/rfc5246#section-9
>>
>> 9. Mandatory Cipher Suites
>>
>> In the absence of an application profile standard specifying
>> otherwise, a TLS-compliant application MUST implement the cipher
>> suite TLS_RSA_WITH_AES_128_CBC_SHA (see Appendix A.5 for the
>> definition).
>>
>> http://tools.ietf.org/html/rfc4346#section-9
>>
>> 9. Mandatory Cipher Suites
>>
>> In the absence of an application profile standard specifying
>> otherwise, a TLS compliant application MUST implement the cipher
>> suite TLS_RSA_WITH_3DES_EDE_CBC_SHA.
>>
>> http://tools.ietf.org/html/rfc2246#section-9
>>
>> 9. Mandatory Cipher Suites
>>
>> In the absence of an application profile standard specifying
>> otherwise, a TLS compliant application MUST implement the cipher
>> suite TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA.
>>
>> Since many users enable just HIGH ciphers, they must not exclude the MTI
>> ciphers.
>>
>> --
>> --
>> Viktor.
>>
>> --
>> openssl-dev mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160212/c2a412b7/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4324 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160212/c2a412b7/attachment.bin>
More information about the openssl-dev
mailing list