On 06/11/18 15:14, Tomas Mraz wrote: >> Okay, so IIUC now, this is an all-or-nothing kind of change. If I >> elect/need to use LEGACY to administer some old hardware that I >> cannot >> otherwise connect to using the defaults, then I'm compromising that >> host's security for anything/everything its used for until it's taken >> back off LEGACY and returned to whatever the non-LEGACY is called. >> Do I >> have it right now? > > Yes, except one thing. Just by switching to LEGACY it does not mean > you're compromising the host's security. The protocol negotiation and > ciphersuite ordering still applies and it will use the best available > protocol and ciphersuite and not some random insecure protocol version > and ciphersuite. The insecure protocols and ciphersuites will be used > only in the case the other end does not know anything better.
Could switching to LEGACY allow some man-in-the-middle downgrade attacks, in which an attacker manipulates the initial phases of handshakes, and tricks the parties to use a weaker protocol? Kai _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/NL36VBZ7FSCXDGABTZXIJHIJEA5FJQB2/
