[openssl-dev] 3DES is a HIGH-strength cipher?

Blumenthal, Uri - 0553 - MITLL uri at ll.mit.edu
Fri Feb 12 21:04:28 UTC 2016 

> So, if it’s “mandatory”, then it should be in the default set of ciphers, not
> necessarily the “HIGH” set.
> 
> I’m selecting “HIGH” because I want 128-bit+ ciphers, not a cipher that that
> has subsequently found to be weaker than previously thought.

I used to think that MTI doesn’t mean “Mandatory To Offer”. My codebase must
have it, but my server (and/or client) configuration may explicitly forbid
it. Is there anything wrong with this view?



> --
> -Todd Short
> // tshort at akamai.com
> // "One if by land, two if by sea, three if by the Internet."
> 
>> On Feb 12, 2016, at 3:36 PM, Viktor Dukhovni <openssl-users at dukhovni.org>
>> wrote:
>> 
>> 
>>> On Feb 12, 2016, at 3:15 PM, Salz, Rich <rsalz at akamai.com> wrote:
>>> 
>>> So is RC4 and we don't see that as HIGH. HIGH implies strength, not
>>> MTI-ness.
>> 
>> Now let's not make stuff up:
>> 
>> http://tools.ietf.org/html/rfc5246#section-9
>> 
>> 9.  Mandatory Cipher Suites
>> 
>>   In the absence of an application profile standard specifying
>>   otherwise, a TLS-compliant application MUST implement the cipher
>>   suite TLS_RSA_WITH_AES_128_CBC_SHA (see Appendix A.5  for the
>>   definition).
>> 
>> http://tools.ietf.org/html/rfc4346#section-9
>> 
>> 9. Mandatory Cipher Suites
>> 
>>   In the absence of an application profile standard specifying
>>   otherwise, a TLS compliant application MUST implement the cipher
>>   suite TLS_RSA_WITH_3DES_EDE_CBC_SHA.
>> 
>> http://tools.ietf.org/html/rfc2246#section-9
>> 
>> 9. Mandatory Cipher Suites
>> 
>>   In the absence of an application profile standard specifying
>>   otherwise, a TLS compliant application MUST implement the cipher
>>   suite TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA.
>> 
>> Since many users enable just HIGH ciphers, they must not exclude the MTI
>> ciphers.
>> 
>> -- 
>> -- 
>> Viktor.
>> 
>> -- 
>> openssl-dev mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
> 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160212/c2a412b7/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4324 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160212/c2a412b7/attachment.bin>

More information about the openssl-dev mailing list