On Friday 12 February 2016 15:36:36 Viktor Dukhovni wrote: > > On Feb 12, 2016, at 3:15 PM, Salz, Rich <[email protected]> wrote: > > > > So is RC4 and we don't see that as HIGH. HIGH implies strength, not > > MTI-ness. > Now let's not make stuff up: > > http://tools.ietf.org/html/rfc5246#section-9 > > 9. Mandatory Cipher Suites > > In the absence of an application profile standard specifying > otherwise, a TLS-compliant application MUST implement the cipher > suite TLS_RSA_WITH_AES_128_CBC_SHA (see Appendix A.5 for the > definition). > > http://tools.ietf.org/html/rfc4346#section-9 > > 9. Mandatory Cipher Suites > > In the absence of an application profile standard specifying > otherwise, a TLS compliant application MUST implement the cipher > suite TLS_RSA_WITH_3DES_EDE_CBC_SHA. > > http://tools.ietf.org/html/rfc2246#section-9 > > 9. Mandatory Cipher Suites > > In the absence of an application profile standard specifying > otherwise, a TLS compliant application MUST implement the cipher > suite TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA. > > Since many users enable just HIGH ciphers, they must not exclude the > MTI ciphers.
MTI means Mandatory To Implement, not Mandatory To Deploy or Mandatory To Enable and definitely does not mean Mandatory To Force User Applications To Advertise Support For Nobody on the Internet uses TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, does that mean that the TLS1.0 deployment is 0%? -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
signature.asc
Description: This is a digitally signed message part.
-- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
