On Fri, Nov 01, 2013 at 09:56:10PM +0100, Walter H. wrote:
> Which one of the following two is better (1) or (2)?
>
> (1)
>
> SSL_CIPHER=DHE-RSA-CAMELLIA256-SHA
$ openssl ciphers -v DHE-RSA-CAMELLIA256-SHA
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1
> (2)
>
> SSL_CIPHER=AES128-SHA256
$ openssl ciphers -v AES128-SHA256
AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256
They're both fine.
Your question has no answer, except that neither is known to be
weak enough that you should avoid it. The latter requires OpenSSL
1.0.1 which (IIRC) introduces support for TLSv1.2.
- These are available at different minimum protocol versions.
- These use different bulk crypt algorithms
- At different key lengths
- With different key exchange algorithms.
Does your application need to perform faster, offer forward-secrecy, be
most interoperable, ... ?
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
