On 01.01.2015 20:46, Steffan Karger wrote: > As requested on the mailing list and in trac ticket #410, add an option to > disable 'traditional' Diffie Hellman key exchange. People want to be able > to create ecdh-only configurations. > > This patch also disables RSA key exchange by default for OpenSSL builds, to > prevent that people who set "--dh none" but have an OpenSSL version that > doesn't support ECDH end up with a less secure connection. Note that users > that specify their own --tls-cipher override these defaults and thus can > still use whatever OpenSSL supports (and might thus end up with less secure > connections). > > PolarSSL does not allow to easily disable RSA key exchange during runtime, > but its default compile options do not include RSA key exchange based > cipher suites. > > Finally update the manpage to reflect the new behaviour, and while touching > it change the text to motivate users towards a more secure configuration. > > v2 - disable RSA key exchange by default > > ACK. On a side note we should document the default of tls-cipher (DEFAULT:!EXP:!PSK:!SRP:!kRSA) in the man page.
Arne
