[openssl-users] [openssl-dev] Replacing RFC2712 (was Re: Kerberos)

Nico Williams nico at cryptonector.com
Mon May 11 18:52:19 UTC 2015


On Mon, May 11, 2015 at 04:42:49PM +0000, Viktor Dukhovni wrote:
> On Mon, May 11, 2015 at 11:25:33AM -0500, Nico Williams wrote:
> 
> >  - If you don't want to depend on server certs, use anon-(EC)DH
> >    ciphersuites.
> > 
> >    Clients and servers must reject[*] TLS connections using such a
> >    ciphersuite but not using a GSS-authenticated application protocol.
> 
> [*] Except when employing unauthenticated encrypted communication
> to mitigate passive monitoring (oportunistic security).

As this would be replacing RFC2712, it's not opportunistic to begin with :)


More information about the openssl-users mailing list