On Mon, 9 Sep 2013 17:29:24 +0100 Ben Laurie <b...@links.org> wrote: > Perry asked me to summarise the status of TLS a while back ... > luckily I don't have to because someone else has: > > http://tools.ietf.org/html/draft-sheffer-tls-bcp-00 > > In short, I agree with that draft. And the brief summary is: there's > only one ciphersuite left that's good, and unfortunately its only > available in TLS 1.2: > > TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
I don't really see from the document why the authors discourage ECDHE-suites and AES-256. Both should be okay and we end up with four suites: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Also, DHE should only be considered secure with a large enough modulus (>=2048 bit). Apache hard-fixes this to 1024 bit and it's not configurable. So there even can be made an argument that ECDHE is more secure - it doesn't have a widely deployed webserver using it in an insecure way. cu, -- Hanno Böck http://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42
signature.asc
Description: PGP signature
_______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography