[openssl-users] stunnel 5.46 released

Michal Trojnara Michal.Trojnara at stunnel.org
Thu May 31 04:09:07 UTC 2018


On 30.05.2018 19:12, Viktor Dukhovni wrote:

> So I would disable only kDH, but not DHE.  Keep in mind that
> some remote systems will not support EECDH, and by disabling
> DHE, you get only kRSA, which is worse.  So I think that
> '!DH' is unwise.
I respectfully disagree.  The only practical disadvantage of kRSA is
that it doesn't provide PFS.  Losing PFS is bad, but it's not a huge
price for ensuring secure key exchange.  Actually, there aren't that
many platforms nowadays that support kDHE and not kECDHE.

Best regards,
    Mike

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180531/1723364b/attachment.sig>


More information about the openssl-users mailing list