Re: 5.2.1: DHE ciphers gone?

Reindl Harald Sun, 05 Apr 2015 23:44:50 -0700


Am 06.04.2015 um 03:25 schrieb Leif Hedstrom:

On Apr 5, 2015, at 11:54 AM, Reindl Harald <[email protected]> wrote:


Am 01.04.2015 um 19:45 schrieb David Boreham:

There are concerns that the parameter size should now be larger than was
historically typical (2048-bit vs 1024-bit). However, there is no
mechanism in the protocol to negotiate the DHE parameter size.
Furthermore there are clients fairly commonly encountered (e.g. Java
JSSE older than very recent releases) that do not accept a 2048-bit DHE
parameter from a server, and do not act gracefully as a result. For
these reasons it seems that DHE is normally best disabled on the server


wrong justification, that affects Java6 which don't support SNI and hence is 
anyways out of the game when it comes to ATS, all other known clients 
supporting DHE while not ECDHE are happy with a 2048 prime


Besides the other stuff, what does not having SNI in Java6 and ATS have to do 
with each other? ATS most certainly supports setup which do not require SNI. 
You can configure certificates based on the server IP in the configuration.

interesting but not expected from a enduser like me but to be honest the whole issue and discussions would not exist if ATS would handle a certfile identical to httpd because with a PEM file strcutucre below it would contain the whole chain as well as ECDHE and DHE params

if it then would read the certificates as root before drop privileges (like httpd) you could even re-use the same wildcard-certificates without make a copy with wide open permissions

that would make "dhparams_file" obsolete or at least optional for DHE usage while not present as now could disable them completly

signature.asc
Description: OpenPGP digital signature

Re: 5.2.1: DHE ciphers gone?

Reply via email to