On Wed, 2015-02-18 at 10:43 -0600, Short, Todd wrote: > The Cisco ASA uses hardware-assist for IPSec/TLS/SSL/DTLS, and most of > that work was done before DTLS was standardized. This is also the > reason why Cisco ASA support for TLSv1.1/v1.2 is a long time coming. > The Cisco ASA VPN team is very small, and they’ve lost people on the > VPN team recently.
It might be interesting to see if that kind of offload is still worthwhile, given the rate at which modern CPUs can do AES-GCM. > The Cisco ASA has recently updated to OpenSSL 1.0.1 (right before > Heartbleed broke out), so it really depends on what version of the ASA > code you are running. I still haven't seen any version of the ASA using anything but DTLS1_BAD_VER so far. We do use DTLS1.2 and AES-GCM with ocserv, but not the Cisco ASA. -- David Woodhouse Open Source Technology Centre [email protected] Intel Corporation
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
