[openssl-dev] 3DES is a HIGH-strength cipher?

Hubert Kario hkario at redhat.com
Mon Feb 15 15:38:57 UTC 2016


On Friday 12 February 2016 15:36:36 Viktor Dukhovni wrote:
> > On Feb 12, 2016, at 3:15 PM, Salz, Rich <rsalz at akamai.com> wrote:
> > 
> > So is RC4 and we don't see that as HIGH. HIGH implies strength, not
> > MTI-ness.
> Now let's not make stuff up:
> 
> http://tools.ietf.org/html/rfc5246#section-9
> 
> 9.  Mandatory Cipher Suites
> 
>    In the absence of an application profile standard specifying
>    otherwise, a TLS-compliant application MUST implement the cipher
>    suite TLS_RSA_WITH_AES_128_CBC_SHA (see Appendix A.5  for the
>    definition).
> 
> http://tools.ietf.org/html/rfc4346#section-9
> 
> 9. Mandatory Cipher Suites
> 
>    In the absence of an application profile standard specifying
>    otherwise, a TLS compliant application MUST implement the cipher
>    suite TLS_RSA_WITH_3DES_EDE_CBC_SHA.
> 
> http://tools.ietf.org/html/rfc2246#section-9
> 
> 9. Mandatory Cipher Suites
> 
>    In the absence of an application profile standard specifying
>    otherwise, a TLS compliant application MUST implement the cipher
>    suite TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA.
> 
> Since many users enable just HIGH ciphers, they must not exclude the
> MTI ciphers.


MTI means Mandatory To Implement, not Mandatory To Deploy or Mandatory 
To Enable and definitely does not mean Mandatory To Force User 
Applications To Advertise Support For

Nobody on the Internet uses TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, does that 
mean that the TLS1.0 deployment is 0%?
-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160215/6ccf21ca/attachment.sig>


More information about the openssl-dev mailing list