On 08/27/16 12:32, Guenther Niess wrote:
...
Or do you think we should change
+ .algo_strength = SSL_HIGH,
to
+ .algo_strength = SSL_MEDIUM,
this matter seems to be highly subjective. I personally don't like and
don't make use of the LOW/MEDIUM/HIGH keywords for configuring TLS
cipher suites in web servers. RFC 7525 might be a reasonably good
baseline - however, it essentially provides minimum recommendations
which are not necessarily the recommended choice for HIGH in my opinion.
Due to its blocklength of 64 bits, 3DES should probably be removed from
HIGH due Sweet32 attack (see https://sweet32.info/ ).
I personally would not list any CBC-based cipher suites as HIGH since
TLS uses them in mac-then-encrypt fashion which is generally considered
to be less robust by most cryptographers. Encrypt-then-mac is only
available via TLS extension (RFC 7366). However, in case a TLS library
actually supports this extension, it typically already provides support
for AEAD cipher suites. CBC-based cipher suites are mostly required for
interoperability with oder TLS client but should HIGH be tailored for
interoperability?
Slightly unrelated: OpenSSL 1.1.0 has added support for ecdh_x25519 and
seems to have made it its new default over NIST P-256
(https://www.openssl.org/news/changelog.html#x0). This might also be a
nice addition to LibreSSL.
