Re: [PATCH] Follow OpenSSL's switch from AES128 to AES256 for session tickets

Hello! On Mon, Nov 07, 2016 at 12:09:40AM +0100, Christian Klinger via nginx-devel wrote: > # HG changeset patch > # User Christian Klinger > # Date 1478473338 -3600 > # Node ID 36f66e94771dd39e8948ba1023e5ca0677655840 > # Parent 92ad1c92bcf93310bf59447dd581cac37af87adb > SSL: switch from AES1

Re: [PATCH] Follow OpenSSL's switch from AES128 to AES256 for session tickets

# HG changeset patch # User Christian Klinger # Date 1478473338 -3600 # Node ID 36f66e94771dd39e8948ba1023e5ca0677655840 # Parent 92ad1c92bcf93310bf59447dd581cac37af87adb SSL: switch from AES128 to AES256 for TLS Session Tickets. OpenSSL switched from AES128 to AES256 for de-/encryption of sessi

Re: [PATCH] Follow OpenSSL's switch from AES128 to AES256 for session tickets

Hey Christian, > # HG changeset patch > # User Christian Klinger > # Date 1478468739 -3600 > # Node ID 9cfbbce1ec24a31c29ea2f20cb21e32e5173bc60 > # Parent 92ad1c92bcf93310bf59447dd581cac37af87adb > Follow OpenSSL's switch from AES128 to AES256 for session tickets This should be: SSL: switch fr

Re: [PATCH] Follow OpenSSL's switch from AES128 to AES256 for session tickets

Hi, On Sun, Nov 06, 2016 at 03:19:36AM -0800, Piotr Sikora wrote: > ...and while we're breaking backward-compatibility, we should also > change the order in which values are read from files to match what > OpenSSL, BoringSSL & Apache are doing, [...] Done. (See follow-up message) Best regards, C

Re: [PATCH] Follow OpenSSL's switch from AES128 to AES256 for session tickets

# HG changeset patch # User Christian Klinger # Date 1478468739 -3600 # Node ID 9cfbbce1ec24a31c29ea2f20cb21e32e5173bc60 # Parent 92ad1c92bcf93310bf59447dd581cac37af87adb Follow OpenSSL's switch from AES128 to AES256 for session tickets OpenSSL switched from AES128 to AES256 for de-/encryption o

Re: [PATCH] Follow OpenSSL's switch from AES128 to AES256 for session tickets

Hi, On Sat, Nov 05, 2016 at 07:07:23PM -0700, Piotr Sikora wrote: > Also, considering that recent versions of OpenSSL use AES256 by > default (i.e. when keys are not provided using > "ssl_session_ticket_key" directive), we shouldn't provide a way lower > the security of Session Tickets. If backwa

Re: [PATCH] Follow OpenSSL's switch from AES128 to AES256 for session tickets

Hey, > While I agree that we should bump this to AES256 (or at least, make it > work with both), your change to use AES256 with keys that are > half-filled with zeros doesn't seem very appealing... > > I suggest that "ssl_session_ticket_key" should either accept only 80 > byte files (for use with

Re: [PATCH] Follow OpenSSL's switch from AES128 to AES256 for session tickets

Hey Christian, > # HG changeset patch > # User Christian Klinger > # Date 1478383992 -3600 > # Node ID 5719a734584d23a6bcd22a3e59dd36138d06b803 > # Parent 92ad1c92bcf93310bf59447dd581cac37af87adb > Follow OpenSSL's switch from AES128 to AES256 for session tickets > > OpenSSL switched from AES128

[PATCH] Follow OpenSSL's switch from AES128 to AES256 for session tickets

# HG changeset patch # User Christian Klinger # Date 1478383992 -3600 # Node ID 5719a734584d23a6bcd22a3e59dd36138d06b803 # Parent 92ad1c92bcf93310bf59447dd581cac37af87adb Follow OpenSSL's switch from AES128 to AES256 for session tickets OpenSSL switched from AES128 to AES256 for de-/encryption o