[Ach] favor DHE over ECDHE? (was: preference of curves in ECC - ECDSA, ECDH)

Hanno Böck hanno at hboeck.de
Mon Mar 10 10:25:02 CET 2014

On Mon, 10 Mar 2014 10:21:15 +0100
Torsten Gigler <torsten.gigler at owasp.org> wrote:

> What do you think about to favor generally DHE ciphers over ECDHE, as
> long it is not clear which EC curves are save available by clients
> ans servers?

This is in theory a good idea, but ONLY if you use a reasonable large
DHE exchange. Most people use 1024 bit.

> I tried to priorize them also according to BSI
> TR-02102-2: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)
> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b)
> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67)

Always prefer GCM over CBC, no matter what AES size. CBC has issues,
AES128 has not.
Your config will e.g. cause firefox to connect with CBC.

Hanno Böck

mail/jabber: hanno at hboeck.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.cert.at/pipermail/ach/attachments/20140310/1140a91a/attachment.sig>

More information about the Ach mailing list