On Sun, 2017-03-05 at 20:59 -0600, Pascal wrote: > Yes, thank you, I was able to confirm that RSA is DOA in 1476. 1475 > and before only supported RSA so 1476 broke SSL for everyone, though I > doubt many people use it. >
You are the first one to complain about it. > The bigger issue is why 1476 built at all. It has been a long time > since I did any development for Freenet. Are there not unit tests > for the SSL libraries? I wonder what that says about Fred's code > coverage in general. > No, there aren't any unit tests for that specific feature (that is non- default and very few people use). > Is someone trying to reinvent the wheel here? It looks like 1476 > only supports TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256. I can't > imagine there is not a SSL library that can be integrated with Fred > that implements all the common standards including detecting client > support for them. > IIRC we use a subset of whatever the JCE supports... and our subset happens to be narrower with 1476. Put it back into context: it was changed because the previous cipher-set was using DHE and that it is impossible to do right in java (can't change the group). > I agree with Florent "that we should switch to what others are doing > cipher-wise", and half the ciphers at the provided link are RSA. What > I don't understand is why the provided link did not go to the > Intermediate (default) security model. When something is the default > that is typically what others are doing. > With freenet we always aim at doing "better". In this instance, there is a very good reason why the Intermediate profile is something we shouldn't use: it allows for DH-based ciphers. Should we have implemented the Secure profile instead? Probably! You're welcome to send a patch. Florent
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Devl mailing list Devl@freenetproject.org https://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl