From eugen@leitl.org Fri Sep 13 01:32:08 2013 From: Eugen Leitl To: cypherpunks@lists.cpunks.org Subject: Re: [guardian-dev] Improving enabled TLS Cipher Suites Date: Fri, 13 Sep 2013 07:32:04 +0200 Message-ID: <20130913053204.GX10405@leitl.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6801870293122484959==" --===============6801870293122484959== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable ----- Forwarded message from coderman ----- Date: Wed, 11 Sep 2013 15:13:09 -0700 From: coderman To: David Chiles Cc: Guardian Dev Subject: Re: [guardian-dev] Improving enabled TLS Cipher Suites of all the suites, these look good (assuming 2k RSA keys) TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 all the rest do not provide forward secrecy, or use ECC with suspect constants, or use weak ciphers. i'm open to hearing arguments otherwise. > ... > TLS_RSA_WITH_AES_256_CBC_SHA256 > TLS_RSA_WITH_AES_128_CBC_SHA256 > TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 > TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 > TLS_DH_anon_WITH_AES_128_CBC_SHA256 > TLS_DH_anon_WITH_AES_256_CBC_SHA256 > TLS_DH_anon_WITH_AES_128_CBC_SHA > TLS_DH_anon_WITH_AES_256_CBC_SHA > TLS_ECDH_anon_WITH_AES_128_CBC_SHA > TLS_DH_anon_WITH_3DES_EDE_CBC_SHA > TLS_ECDHE_ECDSA_WITH_NULL_SHA > TLS_ECDHE_RSA_WITH_NULL_SHA > TLS_RSA_WITH_NULL_MD5 > SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA > TLS_RSA_WITH_NULL_SHA256 > TLS_RSA_WITH_NULL_SHA > SSL_RSA_WITH_NULL_MD5 >> ... >> "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", >> "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", >> "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", >> >> "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA", >> "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA", >> "TLS_ECDH_ECDSA_WITH_RC4_128_SHA", >> >> "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", >> "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", >> "TLS_ECDHE_RSA_WITH_RC4_128_SHA", >> >> "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA", >> "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA", >> "TLS_ECDH_RSA_WITH_RC4_128_SHA", >> >> "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", >> "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", >> >> "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", >> "TLS_DHE_DSS_WITH_AES_256_CBC_SHA", >> >> "TLS_RSA_WITH_AES_256_CBC_SHA", >> "TLS_RSA_WITH_AES_128_CBC_SHA" >> ... _______________________________________________ Guardian-dev mailing list Post: Guardian-dev(a)lists.mayfirst.org List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To Unsubscribe Send email to: Guardian-dev-unsubscribe(a)lists.mayfirst.org Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/eug= en%40leitl.org You are subscribed as: eugen(a)leitl.org ----- End forwarded message ----- --=20 Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 --===============6801870293122484959==--