[Ach] Vote for new Cipherstring B [Was: Issue with OpenSSL >0.9.8l]
Aaron Zauner
azet at azet.org
Sat May 17 17:45:47 CEST 2014
Hi *,
Adi Kriegisch wrote:
>> After following this discussion, on my servers I settled for a sweet and
>> short:
>> 'kEDH+aRSA+AES128:kEECDH+aRSA+AES128:+SSLv3'
> Nice. ;-)
I agree. :)
> Take what happened with RC4: about the whole internet chose RC4 after some
> issues but most admins never reconsidered their choice[1]. There for sure
> is an urgent need to update security configurations from time to time.
Actually implementations should be able to decide between RC4 and CBC.
In TLS 1.2 the CBC issue is fixed, then again GCM is available in TLS
1.2. So a library should never need to use RC4 in TLS 1.2 - this is of
course far from reality, but'll probably only require some 10 LoC in
OpenSSL to fix.
Aaron
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20140517/d666b781/attachment.sig>
More information about the Ach
mailing list