Viktor Dukhovni <ietf-d...@dukhovni.org> writes: >The client is expected to send a complete list of *all* the groups it >supports if it supports (any of) the new designated groups. Which means that >clients that support these groups will use only these groups with servers >that likewise suppose these groups, and will not use FFDHE when the client >group list and the server group list don't overlap (which is seems unlikely).
But the text above says that if the server doesn't support what the client asks for, you can't use PFS/DH/FFDHE/whatever you want to call it at all. I don't care whether the server does exactly ffdhe2048 or not, I'll take ffdhe2048 if available, otherwise anything DHE as long as it's over about 1536 bits, and for a lot of clients my code is used in, under about 3K bits because they don't have the CPU for more than that, and in addition don't need that level of security. However, what the above text says is that if the server can't do exactly ffdhe2048 then it's not allowed to do any DHE at all and has to use RSA. >There's no guess, the client sends its full list of supported groups, and the >server picks the one it likes. ... and if the client doesn't get it exactly right, the server has to fall back to RSA rather than use another DHE suite of its choosing. Peter. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
