[Cryptography] What TLS ciphersuites are still OK?

Hanno Böck hanno at hboeck.de
Mon Sep 9 17:14:31 EDT 2013


On Mon, 9 Sep 2013 17:29:24 +0100
Ben Laurie <ben at links.org> wrote:

> Perry asked me to summarise the status of TLS a while back ...
> luckily I don't have to because someone else has:
> 
> http://tools.ietf.org/html/draft-sheffer-tls-bcp-00
> 
> In short, I agree with that draft. And the brief summary is: there's
> only one ciphersuite left that's good, and unfortunately its only
> available in TLS 1.2:
> 
> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

I don't really see from the document why the authors discourage
ECDHE-suites and AES-256. Both should be okay and we end up with four
suites:
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Also, DHE should only be considered secure with a large enough modulus
(>=2048 bit). Apache hard-fixes this to 1024 bit and it's not
configurable. So there even can be made an argument that ECDHE is more
secure - it doesn't have a widely deployed webserver using it in an
insecure way.


cu,
-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno at hboeck.de
GPG: BBB51E42
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20130909/0e874c87/attachment.pgp>


More information about the cryptography mailing list