Of course! This is implicit in my posting. What I am saying is that, like old v1/v2 handshakes, Tor should be moving in the direction of eliminating DHE. The way to approach that is to *count* the number of DHE handshakes and other TLS session attributes. This is currently begin done for TOR/NTOR handshakes but is not for TLS negotiations.
0.2.7 will not build/run with openssl 0.9.8, so once 0.2.7 is widely deployed DHE can be forcibly disabled. BUT, as with v1/v2 handshakes, one would not want to do that prematurely so counting them is a good idea. That suggesting is the principle idea of the thread. At 20:01 8/2/2015 +0300, you wrote: >I think that is to maintain a backward >compatibility. Tor tries as hard as possible to >maintain backward compatibility with older >versions, unless something critical which requires >deprecation regardless some relays will disappear >from the consensus. > >I guess this is the reason we currently prefer >ECDHE but do not reject DHE. In the future, when >we are certain everyone upgraded to new enough >OpenSSL, we can safely reject DHE all the time. > _______________________________________________ tor-relays mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
