[openssl-dev] 3DES is a HIGH-strength cipher?

Viktor Dukhovni openssl-users at dukhovni.org
Sat Feb 13 00:16:38 UTC 2016


> On Feb 12, 2016, at 6:55 PM, Richard Moore <richmoore44 at gmail.com> wrote:
> 
> ​Personally I think the fact that HIGH includes ciphersuites that offer no MITM protection means that those who trust it have already been totally betrayed.

The correct way to use high-grade ciphers is.

	"DEFAULT:!EXPORT:!LOW:!MEDIUM"

The various individual cipherlist building blocks are properly orthogonal,
and HIGH/MEDIUM/LOW/EXPORT covers only the symmetric algorithm strength.

One can also use it safely via constructs such as "HIGH:!aNULL:!aDSS:!kRSA"
(if say one also wants to disable DSA and RSA key transport).

-- 
-- 
	Viktor.



More information about the openssl-dev mailing list