> So, if it’s “mandatory”, then it should be in the default set of ciphers, not > necessarily the “HIGH” set. > > I’m selecting “HIGH” because I want 128-bit+ ciphers, not a cipher that that > has subsequently found to be weaker than previously thought.
I used to think that MTI doesn’t mean “Mandatory To Offer”. My codebase must have it, but my server (and/or client) configuration may explicitly forbid it. Is there anything wrong with this view? > -- > -Todd Short > // [email protected] > // "One if by land, two if by sea, three if by the Internet." > >> On Feb 12, 2016, at 3:36 PM, Viktor Dukhovni <[email protected]> >> wrote: >> >> >>> On Feb 12, 2016, at 3:15 PM, Salz, Rich <[email protected]> wrote: >>> >>> So is RC4 and we don't see that as HIGH. HIGH implies strength, not >>> MTI-ness. >> >> Now let's not make stuff up: >> >> http://tools.ietf.org/html/rfc5246#section-9 >> >> 9. Mandatory Cipher Suites >> >> In the absence of an application profile standard specifying >> otherwise, a TLS-compliant application MUST implement the cipher >> suite TLS_RSA_WITH_AES_128_CBC_SHA (see Appendix A.5 for the >> definition). >> >> http://tools.ietf.org/html/rfc4346#section-9 >> >> 9. Mandatory Cipher Suites >> >> In the absence of an application profile standard specifying >> otherwise, a TLS compliant application MUST implement the cipher >> suite TLS_RSA_WITH_3DES_EDE_CBC_SHA. >> >> http://tools.ietf.org/html/rfc2246#section-9 >> >> 9. Mandatory Cipher Suites >> >> In the absence of an application profile standard specifying >> otherwise, a TLS compliant application MUST implement the cipher >> suite TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA. >> >> Since many users enable just HIGH ciphers, they must not exclude the MTI >> ciphers. >> >> -- >> -- >> Viktor. >> >> -- >> openssl-dev mailing list >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev >
smime.p7s
Description: S/MIME cryptographic signature
-- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
