On 06/11/18 15:14, Tomas Mraz wrote:
>> Okay, so IIUC now, this is an all-or-nothing kind of change. If I
>> elect/need to use LEGACY to administer some old hardware that I
>> otherwise connect to using the defaults, then I'm compromising that
>> host's security for anything/everything its used for until it's taken
>> back off LEGACY and returned to whatever the non-LEGACY is called.
>> Do I
>> have it right now?
> Yes, except one thing. Just by switching to LEGACY it does not mean
> you're compromising the host's security. The protocol negotiation and
> ciphersuite ordering still applies and it will use the best available
> protocol and ciphersuite and not some random insecure protocol version
> and ciphersuite. The insecure protocols and ciphersuites will be used
> only in the case the other end does not know anything better.
Could switching to LEGACY allow some man-in-the-middle downgrade
attacks, in which an attacker manipulates the initial phases of
handshakes, and tricks the parties to use a weaker protocol?
devel mailing list -- firstname.lastname@example.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines