<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN">
<html><body style='font-family: Verdana,Geneva,sans-serif'>
<p>The wiki page has an explanation at <a href="https://wiki.mozilla.org/Security/Server_Side_TLS#Prioritization_logic">https://wiki.mozilla.org/Security/Server_Side_TLS#Prioritization_logic</a></p>
<ol>
<li><em>AES 128 is preferred to AES 256. There has been [<a class="external text" href="http://www.mail-archive.com/dev-tech-crypto@lists.mozilla.org/msg11247.html" rel="nofollow">discussions</a>] on whether AES256 extra security was worth the cost, and the result is far from obvious. At the moment, AES128 is preferred, because it provides good security, is really fast, and seems to be more resistant to timing attacks.</em></li>
</ol>
<p>Removing it completely, however, provides no benefit. It would simply break clients that decide, for some reason, to only accept AES256.</p>
<p> </p>
<p>On 2014-06-14 12:20, Aaron Zauner wrote:</p>
<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px"><!-- html ignored --><!-- head ignored --><!-- meta ignored -->
<div dir="ltr">Just out of curiosity; why do you prefer 128bit symmetric ciphers over 256bit ones? In your case both are included, the preference does not make sense to me.
<div>i.e.: I'd either drop AES256 or order according to symmetric cipher security (given the same key exchange, MAC,..)</div>
</div>
<div class="gmail_extra"><br /><br />
<div class="gmail_quote">On Sat, Jun 14, 2014 at 4:35 AM, Julien Vehent <span><<a href="mailto:julien@linuxwall.info">julien@linuxwall.info</a>></span> wrote:<br />
<blockquote class="gmail_quote" style="margin: 0 0 0 .8ex; border-left: 1px #ccc solid; padding-left: 1ex;">
<div>On 2014-06-12 07:09, Hubert Kario wrote:<br />
<blockquote class="gmail_quote" style="margin: 0 0 0 .8ex; border-left: 1px #ccc solid; padding-left: 1ex;">While choice of RC4 is bad, they plan to remove it and reinstate 3DES:<br /><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=927045">https://bugzilla.mozilla.org/<span style="text-decoration: underline;"></span>show_bug.cgi?id=927045</a> Real Time Soon™</blockquote>
</div>
We did, at least, put 3DES above RC4 in production. The CPU cost was minimal, so I'll update the wiki page Real Time Soon™<br /><br /> $ ./cipherscan <a href="http://mozilla.org">mozilla.org</a><br /> ........<br /> prio ciphersuite protocols pfs_keysize<br /> 1 DHE-RSA-AES128-SHA SSLv3,TLSv1,TLSv1.1 DH,1024bits<br /> 2 DHE-RSA-AES256-SHA SSLv3,TLSv1,TLSv1.1 DH,1024bits<br /> 3 EDH-RSA-DES-CBC3-SHA SSLv3,TLSv1,TLSv1.1 DH,1024bits<br /> 4 AES128-SHA SSLv3,TLSv1,TLSv1.1<br /> 5 AES256-SHA SSLv3,TLSv1,TLSv1.1<br /> 6 DES-CBC3-SHA SSLv3,TLSv1,TLSv1.1<br /> 7 RC4-SHA SSLv3,TLSv1,TLSv1.1<br /><br /> Certificate: trusted, 2048 bit, sha256WithRSAEncryption signature<br /> TLS ticket lifetime hint: None<br /> OCSP stapling: supported<br /><br /> We also started deprecating SSL3 and TLS1 from new sites that require newer browsers, and where backward compatibility is not needed.<span class="HOEnZb"><span style="color: #888888;"><br /><br /> - Julien</span></span>
<div class="HOEnZb">
<div class="h5"><br /> ______________________________<span style="text-decoration: underline;"></span>_________________<br /> Ach mailing list<br /><a href="mailto:Ach@lists.cert.at">Ach@lists.cert.at</a><br /><a href="http://lists.cert.at/cgi-bin/mailman/listinfo/ach">http://lists.cert.at/cgi-bin/<span style="text-decoration: underline;"></span>mailman/listinfo/ach</a></div>
</div>
</blockquote>
</div>
</div>
</blockquote>
</body></html>