> On 2015-11-03 00:38, Aaron Zauner wrote: > Nevertheless I feel the same way, AES128 should be preferred; > and that exactly what we're doing with the latest version of > our bettercrypto cipherstring recommendation: > https://git.bettercrypto.org/ach-master.git/blob/HEAD:/src/common/cipherStringB.tex
On 2015-11-03 07:57 Gunnar Haslinger wrote: > CipherString-B in Theory-Section 3.2.3 is different to Apache-Recommendation in Section 2.1.1. On 2015-11-03 08:04 L. Aaron Kaplan wrote: > This sounds like a mistake then. They should be the same. I just checked the current Dovecot Cipherstring - and it differs to CipherString-B too (equal to Apache). nginx differs too (equal to Apache) lighttpd differs too (similar to Apache) - additionally there is a ":" missing between "!aNULL!eNULL". Cherokee seems to be copied from lighttpd, so same missing ":" between "!aNULL!eNULL". cyrus - like dovecot / apache postfix - like dovecot / apache IronPort: similar to dovecot / apache but additional: "!SRP" Finding a single Cipherstring being suitable for a variety of OpenSSL-Versions is very hard. At least on current Debian 8.2 we realized that CipherString-B is not sorted as it was thought to be when current recommendation in the guide was merged. The discussion lead to: maybe there should be separated recommendations for different Versions/OS-Distributions. But how should we deal with this differences in the guide in the meantime? Should Apache, Dovecot, nginx, lighttp, etc... CipherStrings be changed to match CipherString-B? Should CipherString-B get an Update? _______________________________________________ Ach mailing list [email protected] http://lists.cert.at/cgi-bin/mailman/listinfo/ach
