[Ach] Cipher-Order: AES128/AES256 - was: Secure E-Mail Transport based on DNSSec/TLSA/DANE

Aaron Zauner azet at azet.org
Tue Nov 3 10:23:05 CET 2015


Which OpenSSL version are you testing with?

2015-11-03 8:58 GMT+01:00 Gunnar Haslinger <gh.bettercrypto at hitco.at>:

>
> Azet:
>
>> Nevertheless I feel the same way, AES128 should be preferred;
>> and that exactly what we're doing with the latest version of
>> our bettercrypto cipherstring recommendation:
>>
>> https://git.bettercrypto.org/ach-master.git/blob/HEAD:/src/common/cipherStringB.tex
>>
>
>
> The current recommendation for Apache is different to the CipherString-B.
> Probably thats only a mistak (as Aaron Kaplan already answered).
>
> but even when comparing these two ciphers, none of them prefers AES128 to
> AES256:
>
>
>
> https://git.bettercrypto.org/ach-master.git/blob/HEAD:/src/configuration/Webservers/Apache/default-ssl
> root at Sec-NS2:~# openssl ciphers -v
> 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'
> DHE-RSA-AES256-GCM-SHA384   TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256)
>  Mac=AEAD
> DHE-RSA-AES256-SHA256       TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)
> Mac=SHA256
> ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256)
>  Mac=AEAD
> ECDHE-RSA-AES256-SHA384     TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)
> Mac=SHA384
> DHE-RSA-AES128-GCM-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128)
>  Mac=AEAD
> DHE-RSA-AES128-SHA256       TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)
> Mac=SHA256
> ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128)
>  Mac=AEAD
> ECDHE-RSA-AES128-SHA256     TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)
> Mac=SHA256
> DHE-RSA-CAMELLIA256-SHA     SSLv3   Kx=DH       Au=RSA  Enc=Camellia(256)
> Mac=SHA1
> DHE-RSA-AES256-SHA          SSLv3   Kx=DH       Au=RSA  Enc=AES(256)
> Mac=SHA1
> ECDHE-RSA-AES256-SHA        SSLv3   Kx=ECDH     Au=RSA  Enc=AES(256)
> Mac=SHA1
> DHE-RSA-CAMELLIA128-SHA     SSLv3   Kx=DH       Au=RSA  Enc=Camellia(128)
> Mac=SHA1
> DHE-RSA-AES128-SHA          SSLv3   Kx=DH       Au=RSA  Enc=AES(128)
> Mac=SHA1
> ECDHE-RSA-AES128-SHA        SSLv3   Kx=ECDH     Au=RSA  Enc=AES(128)
> Mac=SHA1
> CAMELLIA256-SHA             SSLv3   Kx=RSA      Au=RSA  Enc=Camellia(256)
> Mac=SHA1
> AES256-SHA                  SSLv3   Kx=RSA      Au=RSA  Enc=AES(256)
> Mac=SHA1
> CAMELLIA128-SHA             SSLv3   Kx=RSA      Au=RSA  Enc=Camellia(128)
> Mac=SHA1
> AES128-SHA                  SSLv3   Kx=RSA      Au=RSA  Enc=AES(128)
> Mac=SHA1
>
>
>
> https://git.bettercrypto.org/ach-master.git/blob/HEAD:/src/common/cipherStringB.tex
> root at Sec-NS2:~# openssl ciphers -v
> 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA'
> DHE-RSA-AES256-GCM-SHA384   TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256)
>  Mac=AEAD
> DHE-RSA-AES256-SHA256       TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)
> Mac=SHA256
> ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256)
>  Mac=AEAD
> ECDHE-RSA-AES256-SHA384     TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)
> Mac=SHA384
> DHE-RSA-AES128-GCM-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128)
>  Mac=AEAD
> DHE-RSA-AES128-SHA256       TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)
> Mac=SHA256
> ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128)
>  Mac=AEAD
> ECDHE-RSA-AES128-SHA256     TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)
> Mac=SHA256
> DHE-RSA-CAMELLIA256-SHA     SSLv3   Kx=DH       Au=RSA  Enc=Camellia(256)
> Mac=SHA1
> DHE-RSA-AES256-SHA          SSLv3   Kx=DH       Au=RSA  Enc=AES(256)
> Mac=SHA1
> ECDHE-RSA-AES256-SHA        SSLv3   Kx=ECDH     Au=RSA  Enc=AES(256)
> Mac=SHA1
> DHE-RSA-CAMELLIA128-SHA     SSLv3   Kx=DH       Au=RSA  Enc=Camellia(128)
> Mac=SHA1
> DHE-RSA-AES128-SHA          SSLv3   Kx=DH       Au=RSA  Enc=AES(128)
> Mac=SHA1
> ECDHE-RSA-AES128-SHA        SSLv3   Kx=ECDH     Au=RSA  Enc=AES(128)
> Mac=SHA1
> CAMELLIA128-SHA             SSLv3   Kx=RSA      Au=RSA  Enc=Camellia(128)
> Mac=SHA1
> AES128-SHA                  SSLv3   Kx=RSA      Au=RSA  Enc=AES(128)
> Mac=SHA1
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cert.at/pipermail/ach/attachments/20151103/83453b96/attachment.html>


More information about the Ach mailing list