> On Apr 5, 2015, at 11:54 AM, Reindl Harald <[email protected]> wrote: > > > Am 01.04.2015 um 19:45 schrieb David Boreham: >> There are concerns that the parameter size should now be larger than was >> historically typical (2048-bit vs 1024-bit). However, there is no >> mechanism in the protocol to negotiate the DHE parameter size. >> Furthermore there are clients fairly commonly encountered (e.g. Java >> JSSE older than very recent releases) that do not accept a 2048-bit DHE >> parameter from a server, and do not act gracefully as a result. For >> these reasons it seems that DHE is normally best disabled on the server > > wrong justification, that affects Java6 which don't support SNI and hence is > anyways out of the game when it comes to ATS, all other known clients > supporting DHE while not ECDHE are happy with a 2048 prime
Besides the other stuff, what does not having SNI in Java6 and ATS have to do with each other? ATS most certainly supports setup which do not require SNI. You can configure certificates based on the server IP in the configuration. — leif
