On Tue, Jan 12, 2016 at 9:17 AM, Ilari Liusvaara <ilariliusva...@welho.com> wrote: > > > - Drop 99% of all cipher suites, leaving one traditional one (DHE + > AES-CBC + > > HMAC-SHA2 + RSA-SHA2/PSK for auth) and one ECC one (ECDHE + AES-GCM + > HMAC- > > SHA2 + ECDSA-SHA2/PSK for auth) as must's (with a strong preference > for OCB > > instead of GCM as the AEAD if it were freely available). > > DHE has serious problems. While the present TLS 1.3 way of doing DHE > isn't totally horrible, advertise DHE and you can get downnegotiation to > TLS 1.2 DHE, and now you are screwed. >
Nit: this shouldn't be possible with the anti-downgrade mechanism that was introduced in draft-11 because the server's signature will cover the random value. If you area aware of an issue here, I would appreciate more information. -Ekr
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
