On 06/11/13 21:02, Alexander Holler wrote: > Am 30.10.2013 15:58, schrieb Thijs Alkemade: >> On 30 okt. 2013, at 15:53, Tomasz Sterna <[email protected]> wrote: >>> Dnia 2013-10-30, śro o godzinie 01:21 +0100, Mathieu Pasquet pisze: >>>> Dropping SSLv2 is all good and I’m not even sure why SSLv2 was >>>> supported initially (doesn’t xmpp appear after SSLv3 was >>>> standardized?), but dropping SSLv3, while also a good idea, might >>>> cause issues with lots of servers >>> >>> And discouraging TLSv1 in favor of TLSv1.2 when latest OpenSSL does not >>> even support TLSv1.1 nor v1.2 is a pie-in-the-sky. >> >> OpenSSL supports TLS 1.2 since 1.0.1 (and I think TLS 1.1 since the same >> version), released March 14th, 2012. >> > > Not exactly the same, but I don't like the part > > "or require cipher suites that enable forward secrecy"
That in itself isn't bad at all, rather the opposite, it's great. But yes, what are the implications of a push towards this? Openssl supports and accepts 16-bit DHE-group. [1] Current Java 6&7 don't like any DHE >1024bits (workaroud exists by using Bouncycastles JCE). Without looking at what is still around as Alexander did, I wonder about the consequences of such a push. When choosing the wrong thing we might be *worse* off. I don't feel this is addressed in https://datatracker.ietf.org/doc/draft-saintandre-xmpp-tls/?include_text=1 And the best of it all: we don't have a way to negotiate the size of the DHE, whatever the server sends is to be used. [2]. Would it be possible to change the wording in a meaningful way to either make operators more aware of the pitfalls and/or make sure that they're not actually downgrading what they currently use? Other opinions? Am I overlooking some things? salut, kwadronaut [1] http://marc.info/?l=openssl-dev&m=138371309522047&w=2 [2] https://www.ietf.org/mail-archive/web/tls/current/msg10022.html _______________________________________________ JDev mailing list Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [email protected] _______________________________________________
