[Ach] pls pull, various changes

Aaron Zauner azet at azet.org
Sun Nov 10 20:48:16 CET 2013

On 10 Nov 2013, at 19:14, christian mock <cm at coretec.at> wrote:
> regarding the cipher suites for apache (and others) -- AFAICT you need
> apache 2.4 to support ECDHE (debian stable has 2.2), and maybe you
> don't trust EC. Without ECDHE, *all* versions of IE are excluded,
> which should at least be mentioned in the document, and will probably
> be a no-go in a commercial setting.
Thats correct. One could build from source though. Same thing for EL6 (at least EL6.4 does not ship a reasonable release of openssl).

> Also, the given settings exclude java (according to ssllabs),
> apparently because that only does AES128. That may be a problem for
> those people who are running SOAPy stuff.
Yup. Last week i ran into another problem with Java and DHE: While configuring SSL settings on a Cisco ASA i’ve disabled non-DHE cipersuites, which effectively locks you out of ASDM (their Java-based ASA device management thing). Java just reports handshake failure. I don’t have a solution for that yet (well, for the Java issue that is).

> So I'd suggest re-evaluating the exclusion of AES128, especially since
> the IIS settings do have it enabled.
I don’t think we should explicitly exclude AES-128 and AES-192. Those are secure algorithms. At least recommendations as found on keylenght.com do not suggest otherwise. [0]

> PPS: dear openssl authors, whyTF do you invent your own ciphersuite
>     names instead of using the RFC nomenclature? and why "EDH" and
>     "DHE" which mean the same AFAICT?


[0] - 128 bit symmetric algorithms provide “universal security” as specified in a (somewhat humorous) paper by lenstra et al.: http://eprint.iacr.org/2013/635 - don’t miss the footnote on cloud security.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1091 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20131110/93fbd572/attachment.sig>

More information about the Ach mailing list