[openssl-project] Proto over ciphers or ciphers over proto? (was: The problem of (implicit) relinking and changed behaviour)
Viktor Dukhovni
openssl-users at dukhovni.org
Sun Apr 15 21:31:29 UTC 2018
> On Apr 15, 2018, at 5:06 PM, Benjamin Kaduk <kaduk at mit.edu> wrote:
>
> IIUC a fixed DH certificate is incompatible with TLS 1.3 but can be
> TLS 1.2-compatible.
Yes, you're right, TLS 1.3 dropped fixed-dh support, but we've a while back dropped support for all the (authenticated) corresponding TLS 1.2 ciphers!
$ OpenSSL_master/bin/openssl ciphers -stdname -v ALL | grep _DH_ | awk '{print $1}'
TLS_DH_anon_WITH_AES_256_GCM_SHA384
TLS_DH_anon_WITH_AES_128_GCM_SHA256
TLS_DH_anon_WITH_AES_256_CBC_SHA256
TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256
TLS_DH_anon_WITH_AES_128_CBC_SHA256
TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256
TLS_DH_anon_WITH_AES_256_CBC_SHA
TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA
TLS_DH_anon_WITH_AES_128_CBC_SHA
TLS_DH_anon_WITH_SEED_CBC_SHA
TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA
We should perhaps also drop the fixed DH anon ones too, leaving them in might have been inadvertent.
--
Viktor.
More information about the openssl-project
mailing list