[openssl-users] is there an API to list all the TLS 1.3 cipher suite names?
Jordan Brown
openssl at jordan.maileater.net
Wed Jan 9 04:16:05 UTC 2019
On 1/8/2019 7:44 PM, Viktor Dukhovni wrote:
> So what you get is AESGCM with SHA2 or CHACHA20 with Poly1305.
> Breaks in either would be dramatic advances in cryptanalysis.
History shows that protocols, algorithms, and implementations all have
flaws. We assume that flaws will be discovered and design so that our
customers can work around them.
> You could just provide a free-form emergency string parameter that
> users are advised to not change unless some major advance makes it
> necessary. At that time, advice can be published as to what the
> override setting should be.
That doesn't sound like a 21st century user interface.
However, as I think about it, I remember that we already need a
softcoded list of algorithms, to avoid offering (e.g.) the PSK
algorithms. It sounds like TLS 1.3 will need the same. That's
unfortunate - I'd really like to treat the crypto subsystem as a black
box - but completely survivable.
--
Jordan Brown, Oracle ZFS Storage Appliance, Oracle Solaris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190109/26b4965d/attachment-0001.html>
More information about the openssl-users
mailing list