Hi, Thank you for the clarifications. Regards, Sanjaya
On Fri, Jun 8, 2018 at 4:30 PM, Jakob Bohm <jb-open...@wisemo.com> wrote: > (Top posting for consistency). > > Once the client receives the TLS1.2 servers choice of DH group, > it can either accept it or abort the connection. > > However if both client and server support the "supported_groups" > extension (RFC4492) with the additional DH group identifiers in > RFC7919, they can negotiate a common accepted group of desired > strength, though the mechanism (like TLS1.3) is artificially > limited to a fixed set of groups listed in the RFC. > > > On 08/06/2018 12:15, Sanjaya Joshi wrote: > >> Hello, >> Thank you Matt and Jordan. So, it seems that it's possible to modify my >> client to accept/reject the DH group key length. But i have one more issue >> to be clarified. >> >> Is it possible that if a client does not accept the DH group key length >> used by the server, then, a different possible cipher (for e.g., RSA) is >> tried to be negotiated. It seems that the connection is rejected, instead >> of falling back to a different possible cipher. At least, i tested this >> quickly using s_client and s_server, and the behavior is as stated above, >> i.e., no fallback and connection was terminated. Is this the default >> OpenSSL behavior or this behaviour could be modified somehow by >> applications ? >> >> Regards, >> Sanjaya >> >> On Thu, Jun 7, 2018 at 8:43 PM, Matt Caswell <m...@openssl.org <mailto: >> m...@openssl.org>> wrote: >> >> >> >> On 07/06/18 16:02, Jordan Brown wrote: >> > I do not understand, however, how the 80 relates to a 1024-bit >> limit. >> >> It's a measure of the "security bits" of an algorithm according to >> table >> 2 in this doc: >> https://nvlpubs.nist.gov/nistpubs/specialpublications/nist. >> sp.800-57pt1r4.pdf >> <https://nvlpubs.nist.gov/nistpubs/specialpublications/nist. >> sp.800-57pt1r4.pdf> >> >> > Enjoy > > Jakob > -- > Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com > Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 > This public discussion message is non-binding and may contain errors. > WiseMo - Remote Service Management for PCs, Phones and Embedded > > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users >
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users