[Ach] Apache, Dovecot and other Cipherstrings aren't matching CipherString-B
Gunnar Haslinger
gh.bettercrypto at hitco.at
Sat Nov 7 14:32:39 CET 2015
> On 2015-11-03 00:38, Aaron Zauner wrote:
> Nevertheless I feel the same way, AES128 should be preferred;
> and that exactly what we're doing with the latest version of
> our bettercrypto cipherstring recommendation:
> https://git.bettercrypto.org/ach-master.git/blob/HEAD:/src/common/cipherStringB.tex
On 2015-11-03 07:57 Gunnar Haslinger wrote:
> CipherString-B in Theory-Section 3.2.3 is different to
Apache-Recommendation in Section 2.1.1.
On 2015-11-03 08:04 L. Aaron Kaplan wrote:
> This sounds like a mistake then. They should be the same.
I just checked the current Dovecot Cipherstring - and it differs to
CipherString-B too (equal to Apache).
nginx differs too (equal to Apache)
lighttpd differs too (similar to Apache) - additionally there is a ":"
missing between "!aNULL!eNULL".
Cherokee seems to be copied from lighttpd, so same missing ":" between
"!aNULL!eNULL".
cyrus - like dovecot / apache
postfix - like dovecot / apache
IronPort: similar to dovecot / apache but additional: "!SRP"
Finding a single Cipherstring being suitable for a variety of
OpenSSL-Versions is very hard. At least on current Debian 8.2 we
realized that CipherString-B is not sorted as it was thought to be when
current recommendation in the guide was merged. The discussion lead to:
maybe there should be separated recommendations for different
Versions/OS-Distributions.
But how should we deal with this differences in the guide in the meantime?
Should Apache, Dovecot, nginx, lighttp, etc... CipherStrings be changed
to match CipherString-B?
Should CipherString-B get an Update?
More information about the Ach
mailing list